[noCensorship] Re: Unknown acl notation Error
- From: wayne <wayne@xxxxxxxxxxxxx>
- To: nocensorship@xxxxxxxxxxxxx, proxytools-users@xxxxxx
- Date: 14 Apr 2003 20:27:46 -0000
> From: "Madani AL" <madani55sa@xxxxxxxxxxx>
> To: nocensorship@xxxxxxxxxxxxx
> Subject: [noCensorship] Re: Unknown acl notation Error
>
> > >
> Hi Wayne
>
> This is what I got when I went back to my configuration file. I hope it
> clear things.
>
> > > Whenever I try to run LP from the customized config file in which I
> >added my own proxies (config-_sbm.xml). I get the following:
> > >
> > > Sorting hosts (uses DNS, please connect)...
> > >
> > > Unknown acl notation: KSA-sbm
> > >
> > > Unknown acl notation: KSA-sbm
> > >
> > > Unknown acl notation: KSA-sbm
> >
> >There is probably, somewhere, a tag called
> >'onlyAllowsTcpAccessFrom', with a value containing 'KSA-sbm'.
> >That means it was put there by mergeHosts.
>
> YES, It is in my config file (config-_sbm.xml )
Better remove it. It will never be removed by mergeHosts.
> >Not in my hosts.xml, or firewalls.xml, so it must be in
> >your config-_sbm.xml (or hosts if you've modified it with
> >mergeHosts maybe)
> >
> >Some time ago, when you used mergeHosts, did you see this error
> >message?
> > >Warning: firewalls.xml access control data (xxxx) incorrectly
> > >says this location has no access to xxxx. Tell wayne please.
> > >Adding 'onlyAllowsTcpAccessFrom' tag for KSA-sbm
> >
> >I'm guessing you did.
> True: this proxy (212.93.197.230:80)was the case
Heh, and you didn't 'Tell wayne' :-)
Tsk, tsk.
According to whois, this proxy is in Awalnet.
Please confirm if it is accessible from SBM as well. I guess it is.
If it is, I'll change the (new - see below) Awalnet tag:
<item key="onlyAllowsTcpAccessFrom">212.93.192.0/18,
213.184.160.0/19</item>
to:
<item key="onlyAllowsTcpAccessFrom">212.93.192.0/18,
213.184.160.0/19, 212.46.32.0/18</item>
and the 'otherAccessibleSubnets' tag for KSA-sbm.
Also, it pointed out a wider range in Awalnet to me:
212.93.192.0/18, instead of the 212.93.192.0/20 I had before.
I don't think I just missed this - I think it's 'new' ('new' being
anything less than 2 years, or so. :-(
> <item key="onlyAllowsTcpAccessFrom">212.93.192.0/20, 213.184.160.0/19,
> KSA-sbm</item>
>
> <item key="comment">via:1.0 cache2.ruh, 1.0 NetCache6100 (NetCache
> NetApp/5.3.1R2), 1.0 SALEHIYA_PROXY agent:BlueCoat-Security-Appliance
> connBack:212.138.47.20 </item>
Note the connection back was from 212.138.47.20. My test got a
connBack from 212.138.47.17. These two are part of the proxy array
used by Awalnet, and may be usable by you directly as proxies.
In the UAE, for example, these proxy array components are not
advertized, but are usable.
You need to test these on the standard ports (and maybe others) to
find out which port they are listening on to make use of them.
If you do, please let me know - I can't do it because they are
firewalled off from the rest of the net.
> >In that case, you have a proxy in your own config which I thought
> >was not accessible from your location. Could you please let me know
> >your IP address (xxx.xxx.xxx.0/24 is ok) and the /24 of the
> >proxy(ies)? Or find that tag, and see why mergeHosts thought the
> >corresponding proxy was not accessible from your computer at the
> >time - then let me know what subnet(s) need to be added as either
> >'subnetsInside' in firewalls.xml/ KSA-sbm, or as
> >'otherAccessibleSubnets' in the same place.
I must ask if you used Awalnet test results to update your config file to be
used in sbm. That's bad. I don't think you did though.
> >As well as that, the part of the lp2 code that was supposed to
> >handle this is unfinished :-)
> >I guess I was lazy at the time, and just haven't noticed it since.
> >I've fixed it now, and LP should accept the extra tag.
> >Get a new localProxy2.pl.
> >
> > > In config-_sbm.xml, there is a reference to KSA-sbm in the firewalls.xml
> >(<item key="useFirewall">KSA-sbm</item>)
> >
> >No other reference?
> >
> > > Looking at the above, LP did not understand the KSA-sbm section in the
> >firewalls file.
> > >
> > > What is/are the reasons?
> >
> >I don't think that's right. There are two parts to the problem, and
> >the second part is in lp2's interpretation of the tag I mention
> >above. That should be fixed. The initial part was caused by
> >mergeHosts being clever when it had test results indicating you
> >could access a proxy, yet no corresponding subnet info from
> >firewalls which allowed this to be true. It added a tag to indicate
> >that access was allowed (on the basis that, if even one test is
> >successful, you *do* have access).
> >
> > > This explains why non of the SBM proxies in my config file or from the
> >hosts.xml are picked up by LP.
> >
> >Yes, it does.
> >
> > > Is the subnetInside (212.46.32.0/19) range correct?
> >
> >It looks like it should be /18 now.
This was wrong! Sorry.
> >And if you had positive tests for a proxy in the /18 range but not
> >in the /19 range, (212.46.48.0 - 212.46.63.255) then that would
> >cause the extra tag added above!
> >
> > > Are the (nameServer">212.46.32.33, 212.46.32.65</item>) correct ?
> >
> >Dunno - tell me. :-)
> >It's hard for me to know, but I got that info from somewhere.
> >It might be very old.
>
> I think not sure it is 212.46.32.49 since it is the first address appers
> whenever tracing is conducted. ???
That doesn't mean it's a name server.
Nameservers usually listen on 53/tcp, so a telnet test to that
port might show if it's a name server or not.
From outside (using netcat instead of telnet):
$ nc -vvn 212.46.32.49 53
(UNKNOWN) [212.46.32.49] 53 (?) : Connection refused
sent 0, rcvd 0
If it's a name server, it should respond as one, but it doesn't
(possible it's firewalled from outside though - you need to test
yourself):
$ dig @212.46.32.49 www.panix.com
; <<>> DiG 9.2.2 <<>> @212.46.32.49 www.panix.com
;; global options: printcmd
;; connection timed out; no servers could be reached
You can do that same test with nslookup like this:
nslookup www.panix.com 212.46.32.49
which again (from outside) shows it's not a name server.
If you're using Windows, typing
ipconfig /all
should show you the name servers you are using.
Please let me know if there are changes necessary.
> > > BTW you have stated in your reply on my message (Re: LP and ActivePerl
> >8xx) that SBM subnet extend to 212.46.63.255. Is it true?
> >
> >Yes, AFAIK:
> >$ whois 212.46.63.255
> >
> >inetnum: 212.46.32.0 - 212.46.63.255
> >netname: SA-SBM-990301
> >descr: Saudi Business Machines
> >descr: PROVIDER
> >country: SA
> >
> >That doesn't prove that all subnets have access to all others, or
> >even that subnets within the range are actually in use. There's
> >no way I can keep track of all that though, so LP must assume
> >they are there and accessible. That's no problem normally.
> >
> this range is accurate :(212.46.32.0/19)
Oh, I see what you are getting at. You think it should not be
212.46.32.0/18, as I have in firewalls.xml?
You are correct too.
I screwed up there :-(
I've changed it again in firewalls.xml now.
> It covers all used subnets (i.e 212.46.38.x) which I never got so far as my
> IP
>
> I still have the problem of LP can not identify SBM proxies
That's (at least) because they are Awalnet proxies, not SBM proxies.
:-)
At least the one you gave as an example is - dunno about others you
have added. LP doesn't know that they are accessible from SBM.
If they really are, we need to adjust firewalls.xml as mentioned above.
> I used /24 (doesnot cover all) up to /18 which exceeds the actual range. I
> even went to /16 but did not work.
> Q: Is nameServer is a must for LP ? or is it able to work without it?
Not usually a problem now. It gets them from firewalls.xml, from
ipconfig/nslookup, and from your registry.
If it's unable to find any, it will print a message to that effect
(at debug > 2). If the ones it tries to use are bad, it will print
'rotating name servers', and 'unable to resolve ...' all the time.
Even in that case, it will still work well - commStrat 2(a) and 2(e)
will fail all the time, and LP will try something else. Services
specified in the config as an fqdn would fail completely,
however (the free news service ccnews.thu.edu.tw, for example).
> Madani
--
wayne@xxxxxxxxxxxxx
http://proxytools.sourceforge.net/
===8>============== noCensorship community ===============
List's webpage: //www.freelists.org/webpage/nocensorship
List's archive: //www.freelists.org/archives/nocensorship
To unsubscribe: nocensorship-request@xxxxxxxxxxxxx with 'unsubscribe' in the
SUBJECT field.
Moderator's email: nocensorship-moderators@xxxxxxxxxxxxx
===8>============== noCensorship community ===============
Other related posts:
