Re: Inter-Squid firewalling

From: Michael Hasenstein <[email protected]>
Date: Mon, 2 Jun 1997 20:33:44 +0200 (MET DST)

(I'm not on the list, so CC: replies to me, if there're any)

I had the same problem, and I introduced a new directive
'behind_firewall'. which is only useful when the default is that squid can
reach all hosts directly,i.e. inside_firewall is not set. (If it's set we
don't have any problems since squid doesn't skip the hierarchy in that
case).

For all domains listed behind 'behind_firewall' all objects are always
fetched from a parent. (Default squid behaviour, when there's no
behind_firewall directive, is to fetch certain objects ("Pragma:
no-cache", cgi's,...) directly.
Background is, inside_firewall is used to instruct squid that _we_ are
behind a firewall, behind_firewall is used to tell squid that the _remote
site_ is behind a firewall, as is often the case in large Intranets
(that's our setup, squid is directly connected to the internet, but some
sites on the intranet can only be reached via internal firewalls).

I wrote the patch (see below) because nobody answered a question I asked
here some weeks ago.

I hope it's appropriate to post the entire 2k-patch here? (Too late now
anyway...)

################## patch start #########################
diff -ur squid-1.1.10.orig/src/cache_cf.c squid-1.1.10/src/cache_cf.c
--- squid-1.1.10.orig/src/cache_cf.c Wed Apr 23 21:38:36 1997
+++ squid-1.1.10/src/cache_cf.c Wed May 14 11:58:31 1997
@@ -1322,6 +1322,9 @@
         else if (!strcmp(token, "inside_firewall"))
             parseWordlist(&Config.inside_firewall_list);
 
+ else if (!strcmp(token, "behind_firewall"))
+ parseWordlist(&Config.behind_firewall_list);
+
         else if (!strcmp(token, "dns_testnames"))
             parseWordlist(&Config.dns_testname_list);
 
@@ -1506,6 +1509,7 @@
     wordlistDestroy(&Config.local_domain_list);
     wordlistDestroy(&Config.mcast_group_list);
     wordlistDestroy(&Config.inside_firewall_list);
+ wordlistDestroy(&Config.behind_firewall_list);
     wordlistDestroy(&Config.dns_testname_list);
     wordlistDestroy(&Config.cache_stoplist);
     ip_acl_destroy(&Config.local_ip_list);
diff -ur squid-1.1.10.orig/src/cache_cf.h squid-1.1.10/src/cache_cf.h
--- squid-1.1.10.orig/src/cache_cf.h Fri Mar 28 21:28:12 1997
+++ squid-1.1.10/src/cache_cf.h Wed May 14 11:56:41 1997
@@ -240,6 +240,7 @@
     wordlist *local_domain_list;
     wordlist *mcast_group_list;
     wordlist *inside_firewall_list;
+ wordlist *behind_firewall_list;
     wordlist *dns_testname_list;
     relist *cache_stop_relist;
     ip_acl *local_ip_list;
diff -ur squid-1.1.10.orig/src/proto.c squid-1.1.10/src/proto.c
--- squid-1.1.10.orig/src/proto.c Thu Apr 24 21:14:03 1997
+++ squid-1.1.10/src/proto.c Wed May 14 12:08:40 1997
@@ -607,9 +607,22 @@
 matchInsideFirewall(const char *host)
 {
     const wordlist *s = Config.inside_firewall_list;
+ const wordlist *t = Config.behind_firewall_list;
     const char *key = NULL;
     int result = NO_FIREWALL;
     struct in_addr addr;
+ if (t) {
+ for (; t; t = t->next) {
+ key = t->key;
+ result = OUTSIDE_FIREWALL;
+ if (*key == '!') {
+ key++;
+ result = INSIDE_FIREWALL;
+ }
+ if (matchDomainName(key, host))
+ return result;
+ }
+ }
     if (!s && !Config.firewall_ip_list)
         /* no firewall goop, all hosts are "inside" the firewall */
         return NO_FIREWALL;

--
*******************************************************************
email: Michael.Hasenstein@informatik.tu-chemnitz.de (MIME welcome)
homepage: http://www.tu-chemnitz.de/~mha/
my private pc: benjy.csn.tu-chemnitz.de (Linux!!) or 134.109.96.69
*******************************************************************
Received on Mon Jun 02 1997 - 11:34:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:21 MST