http proxy blocks Linux update (apt-get update)

Hello Forum,
now that the Watchguard T35-W is online in my network for a few days, several Linux servers are having problems retrieving their updates.

The affected servers get their IP via Firebox dhcp server, where gateway, routing and basic internet access works. I use my own bind DNS server as DNS forwarder which is also listed in the DHCP options for the client.

I suspect the http proxy and after internet research I have the IP address and the sources which are listed in /etc/apt/sources.list and the web blocker, apt blocker I have deactivated test wise; unfortunately without success.

I tested the DNS name resolution, it can't be because of that.

I am currently working with the Firebox Web interface and as log the Dimension Appliance.

I can remember that in the past you could deactivate the http proxy completely by logging in, however.

Therefore my questions: The log concerning http Proxy in Dimension is not really informative. Where can I inspect the http proxy log?

Is there a way to disable the http and https proxy for an IP or IP range?

Thank you for your feedback.

reredok

Best Answer

Answers

  • edited August 2019

    You see no Deny or Proxy Strip log messages in Traffic Monitor or Dimension logs from those IP addrs related to HTTP or HTTPS ?
    If you do, please post some examples.

    You can select the "Override the diagnostic log level" on the HTTP proxy General tab. Set it to Information or higher for details of the HTTP proxy session.

    The default HTTP proxy will block Header fields which are not in the list of Headers, and will block Windows .exe and .dll files in Body Content Types, but nothing else.

  • I recommend installing WSM (http://cdn.watchguard.com/SoftwareCenter/Files/WSM/12_5/wsm_12_5.exe), then using Firebox System Manager's Traffic Monitor tab to watch traffic as you try update a server. You can use the web UI, but the traffic monitor in FSM is clearer and larger on-screen than the one in the web UI. Now watch traffic from that server's IP for anything denied or stripped. The proxies enforce the protocols, so just because it's port 80 or 443, doesn't mean all traffic can go over those ports. I see many sites fail due to "ProxyDeny: HTTP Invalid Request-Line format" errors.

    There is at least one deny that bit me on Dell's HTTP web site that was a SILENT deny, meaning it was not logged, so if you don't see any denies, there MAY be something denied silently.

    Gregg

    Gregg Hill

  • Example of the nextcloud server with IP 192.168.2.254:

    ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy-00, protocol=http/tcp, src_ip=192.168.2.254, src_port=47156, dst_ip=91.189.88.24, dst_port=80, src_intf=1-Trusted, dst_intf=0-External, rc=525, proxy_act=Default-HTTP-Client, rcvd_bytes=0, sent_bytes=215, elapsed_time=30.021001 sec(s); op=GET, dstname=archive.ubuntu.com, arg=/ubuntu/dists/disco-backports/InRelease, 1AFF-0024

    looks pretty good, doesn't it? But the update hangs and doesn't run any longer.

    @Greggmh123: Don't I need a license key for the management server? Can you describe this in more detail with the policy "UnrestrictedAccess.Out"?

  • I think I got it:
    helped the idea of Greggmh123 and https://watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/explicit_proxy/explicit_proxy_http_c.html

    The proxy runs on port 3128 which I announce to linux:
    export http_proxy="http://192.168.2.1:3128"
    export https_proxy="https://192.168.2.1:3128"
    export ftp_proxy="http://192.168.2.1:3128"

    There I explicitly entered the URL used by ubuntu for the update. I still don't know why this doesn't work in the default proxy client rule, I entered it there, but it works in the explicit web proxy rule.

    Watchguard is quite complex and every beginning is hard.

    So many thanks to all of you.
    Best regards.
    reredok

  • @reredok said:
    Example of the nextcloud server with IP 192.168.2.254:

    ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy-00, protocol=http/tcp, src_ip=192.168.2.254, src_port=47156, dst_ip=91.189.88.24, dst_port=80, src_intf=1-Trusted, dst_intf=0-External, rc=525, proxy_act=Default-HTTP-Client, rcvd_bytes=0, sent_bytes=215, elapsed_time=30.021001 sec(s); op=GET, dstname=archive.ubuntu.com, arg=/ubuntu/dists/disco-backports/InRelease, 1AFF-0024

    looks pretty good, doesn't it? But the update hangs and doesn't run any longer.

    @Greggmh123: Don't I need a license key for the management server? Can you describe this in more detail with the policy "UnrestrictedAccess.Out"?

    I am not talking the Management Server. I am talking about the WSM suite of programs to which I gave you the link, and its Client Software section with WatchGuard System Manager, which includes Firebox System Manager, Policy Manager, and other programs in it. I created shortcuts directly to FSM and PM which are what I use daily so that I don't have to open WatchGuard System Manager and then open them.

    Gregg

    Gregg Hill

  • @reredok said:
    I think I got it:
    helped the idea of Greggmh123 and https://watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/explicit_proxy/explicit_proxy_http_c.html

    The proxy runs on port 3128 which I announce to linux:
    export http_proxy="http://192.168.2.1:3128"
    export https_proxy="https://192.168.2.1:3128"
    export ftp_proxy="http://192.168.2.1:3128"

    There I explicitly entered the URL used by ubuntu for the update. I still don't know why this doesn't work in the default proxy client rule, I entered it there, but it works in the explicit web proxy rule.

    Watchguard is quite complex and every beginning is hard.

    So many thanks to all of you.
    Best regards.
    reredok

    It doesn't look like your archive.ubuntu.com traffic is on port 80, or is port 3128 something you changed?

    You showed an Allow log for http://archive.ubuntu.com/ubuntu/dists/disco-backports/InRelease page. What lines come before and after that one in FSM traffic monitor?

    For my "UnrestrictedAccess" packet filter, my From field has the IP addresses of a few internal devices that I don't want to restrict, plus it has a "bypassall" user name, so that if I ever need to get out unrestricted, I can just log into the authentication page (https://firebox-ip-or-fqdn:4100) and get out. The To field is going to Any...any IP, any protocol. I log its traffic so that I can tell what is needed when something is being blocked and I don't see its Deny anywhere.

    I don't use Explicit Proxy anywhere in my configs. IF your http://archive.ubuntu.com/ubuntu/dists/disco-backports/InRelease page uses standard HTTP protocol, then you should be able to use an HTTP exception in that proxy and have the site work. My guess is that the downloads are choking on the .GZ files, and an HTTP exception should work. Or, use my initial suggestion of the packet filter From the IP(s) of the Ubuntu server(s) going To the IP or FQDN (better method) of the download site, or to anywhere...your choice. If you want a targeted Any packet filter just for the Ubuntu server, your From field would be 192.168.2.254 and To would be archive.ubuntu.com, with Any protocol.

    Gregg

    Gregg Hill

  • "Watchguard is quite complex and every beginning is hard."

    Yes, indeed, but once you get used to it, you'll love it. I suggest using Policy Manager for your configs. To me, the web UI is a pain in the rear.

    Gregg

    Gregg Hill

  • Yes, the web interface is quite strange; the Policy Manager is really better. I also found out.

    It was always a long way to look through firewalls in my IT life. From Sophos, Lancom to Securepoint, pfsense, Opnsense to Watchguard, everyone's their own business.

    Sorry for confusing a few expressions, applications. I'm working on it. But I should get on with Watchguard quickly for professional reasons.

Sign In to comment.