Re: transperant proxy using Cisco?

From: Yar Tikhiy <[email protected]>
Date: Tue, 6 Jan 1998 20:25:05 +0300 (MSK)

Miquel van Smoorenburg wrote:
> In article <199801061637.SAA22273@butch>,
> Amos Shapira <amos@gezernet.co.il> wrote:
> >Hello,
> >
> >Does anyone know if Cisco 2501/2511 routers support transperant proxy?
>
> Sure
>
> >Any pointers on how to exploit this?
>
> Policy routing, using a routemap, next-hop, and
> a rule that matches TCP port 80.

You forgot ICMP "Host Unreachable, Need Fragmentation". Of course, if
the network subject to transparent proxying has a PMTU >= MTU
of the proxy box's interface, that is not needed.
But if it is not the case, you must take care of the ICMP messages,
or the remote www-servers' TCP stacks would not be able to determine
the correct PMTU.
 
> >Any experience?
>
> Other then just fooling around with it (it did work though) - no.

We run here at Radio-MSU (Moscow State University) a quite large proxy
(500,000 requests per day) in a transparent mode.

The only thing we made is a slight hacking of natd package for FreeBSD.

We use it instead of ipfilter or smth. because it's user-land and is
quite easy to hack, e.g. for the handling of the ICMPs.

We handle the ICMPs so that all of them get get forwarded to the proxy
(Cisco cannot do policy routing based on the data field of ICMP packet),
then the neccessary ICMPs get handled by the proxy's NAT and then its
TCP stack, and others get forwarded back with some faked (but uniform!)
source address that is used by the router to distinguish them. I.e.

route-map test-lo1-cache-force, permit, sequence 7
  Match clauses:
    ip address (access-lists): 150
  Set clauses:
    ip next-hop 194.67.82.68

===

Extended IP access list 150
    deny icmp host 194.67.80.128 any packet-too-big (34741 matches)
                   ^^^^^^^^^^^^^ the fake ICMP source address
    permit icmp any any packet-too-big (67540 matches)
    deny tcp host 194.67.82.68 any (22657787 matches)
                  ^^^^^^^^^^^^ the address of the proxy itself
    permit tcp any any eq www (35084501 matches)
    deny ip any any (81950613 matches)

SY, Yar
Received on Tue Jan 06 1998 - 09:33:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:19 MST