by AndrzejL

I downloaded and configured Squid using PCLinuxOS Control Center.

All was well and everything was working just fine. However, I was receiving silly netmask warnings and some security notifications, such as those listed below:

[root@icsserver andrzejl]# service squid restart

Stopping squid: 2012/01/14 19:31:49| WARNING: Netmasks are deprecated. Please use CIDR masks instead.

2012/01/14 19:31:49| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.

2012/01/14 19:31:49| WARNING: For now we will assume you meant to write /24

2012/01/14 19:31:49| aclIpParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.0.1/255.255.255.0′

2012/01/14 19:31:49| ERROR: ’0.0.0.0/0.0.0.0′ needs to be replaced by the term ‘all’.

2012/01/14 19:31:49| SECURITY NOTICE: Overriding config setting. Using ‘all’ instead.

2012/01/14 19:31:49| WARNING: (B) ‘::/0′ is a subnetwork of (A) ‘::/0′

2012/01/14 19:31:49| WARNING: because of this ‘::/0′ is ignored to keep splay tree searching predictable

2012/01/14 19:31:49| WARNING: You should probably remove ‘::/0′ from the ACL named ‘all’

2012/01/14 19:31:49| WARNING: Netmasks are deprecated. Please use CIDR masks instead.

2012/01/14 19:31:49| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.

2012/01/14 19:31:49| WARNING: For now we will assume you meant to write /32

…. [ OK ]

init_cache_dir … Starting squid: . [ OK ]

[root@icsserver andrzejl]#

Squid worked as expected but the annoying warnings would not let me forget about the whole thing. So I have decided to investigate.

As it turns out those are the errors that occur when you are using squid 3 with a squid 2 config file. PCLinuxOS has squid 3 in the repos.

[andrzejl@icsserver ~]$ rpm -qa | grep squid

squid-3.1.16-1pclos2011

[andrzejl@icsserver ~]$

But, the beginning of its config file says:

# WELCOME TO SQUID 2

This calls for a few changes in the squid config file, which in PCLinuxOS can be found here:

/etc/squid/squid.conf

First we have to find out what CIDR is. (Click on the link to read it for yourself). With this knowledge we can start editing squid config file as root.

This line:

acl mynetwork src 192.168.0.1/255.255.255.0

was changed to:

acl mynetwork src 192.168.0.0/24

and the number of warnings was reduced significantly:

[root@icsserver andrzejl]# service squid restart

Stopping squid: 2012/01/14 19:36:11| ERROR: ’0.0.0.0/0.0.0.0′ needs to be replaced by the term ‘all’.

2012/01/14 19:36:11| SECURITY NOTICE: Overriding config setting. Using ‘all’ instead.

2012/01/14 19:36:11| WARNING: (B) ‘::/0′ is a subnetwork of (A) ‘::/0′

2012/01/14 19:36:11| WARNING: because of this ‘::/0′ is ignored to keep splay tree searching predictable

2012/01/14 19:36:11| WARNING: You should probably remove ‘::/0′ from the ACL named ‘all’

2012/01/14 19:36:11| WARNING: Netmasks are deprecated. Please use CIDR masks instead.

2012/01/14 19:36:11| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.

2012/01/14 19:36:11| WARNING: For now we will assume you meant to write /32

…. [ OK ]

init_cache_dir … Starting squid: . [ OK ]

[root@icsserver andrzejl]#

Next I removed this line:

acl all src 0.0.0.0/0.0.0.0

which is built into Squid anyway.

This reduced the warning messages even more:

[root@icsserver andrzejl]# service squid restart

Stopping squid: 2012/01/14 19:39:14| WARNING: Netmasks are deprecated. Please use CIDR masks instead.

2012/01/14 19:39:14| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.

2012/01/14 19:39:14| WARNING: For now we will assume you meant to write /32

…. [ OK ]

init_cache_dir … Starting squid: . [ OK ]

[root@icsserver andrzejl]#

The final step was to edit this line:

acl localhost src 127.0.0.1/255.255.255.255

to read:

acl localhost src 127.0.0.1/32

After editing the config file, Squid is running without any warnings and everything is “peachy.”

[root@icsserver andrzejl]# service squid restart

Stopping squid: …. [ OK ]

init_cache_dir … Starting squid: . [ OK ]

[root@icsserver andrzejl]#

My config file contains few extra modifications. Please use it if you feel like it after editing it to reflect your network settings.