[squid-users] Re: transparent proxy with transparent gateway (hrm)

From: Terry Davis <[email protected]>
Date: Fri, 01 Feb 2002 15:19:49 -0600

mmm, that sounds fun too. I think my best option is to simply change
the ip on my firewall and make this "router" my new default gw. Not a
big deal.

This is a fun topic!

Reischl, Brian wrote:

> Well, yes, but since bridging operates at layer 2 (I think?) and the
> entire concept of ports & IP addressing comes in at layer 3, it doesn't
> even make sense to talk about. Of course, you already said that a couple
> times :) Anyway, it is a problem....
>
> Okay, here's an idea, you could try setting up your gw to silently drop
> all port 80 packets. Then build your proxy with an eth interface in
> promiscuous mode with the same IP as the gateway. So it would grab all
> those port 80 packets destined for the gateway, do transparent proxying
> using a different eth interface with an actual valid IP address. Once
> again, looks to the clients like their packets are going out the
> gateway, when in fact they're being proxied.
>
> You just have to make sure that the GW utterly ignores everything on
> port 80, since if it sends ICMP denied packets that will mess things up.
> Likewise, the proxy utterly ignores everything NOT on port 80 for the
> same reason.
>
> There's most likely a problem with that, but it sounds good at the
> moment....
>
> -----Original Message-----
> From: Terry Davis [mailto:tdavis@birddog.com]
> Sent: Friday, February 01, 2002 2:10 PM
> To: Reischl, Brian
> Cc: squid-users@squid-cache.org
> Subject: Re: transparent proxy with transparent gateway (hrm)
>
>
> This would work in my situation. I don't like the idea of changing the
> IP address on my firewall but what's the difference ?
>
> The bridge idea is cooler but MUCH more complicated.
>
>
> Reischl, Brian wrote:
>
> > Maybe I'm completely misunderstanding what you're trying to do here, but
> > it seems to me you could set up a Linux box as a transparent
> > proxy/router. Have it configured to proxy all port 80 and forward
> > everything else to the gateway. Then move your gw to a IP new address,
> > and have the proxy/fw take over the gateway's old IP address. Thus
> > clients keep sending everything to the same IP thinking it's the
> > gateway. Only now your proxy is sitting at that IP, proxying HTTP and
> > silently forwarding everything else to the real gateway. All the
> > ethernet level stuff should sort itself out after everyone's ARP cache
> > expires in 5 or 10 minutes, and the clients should never know the
> > difference. Or am I missing something here?
> >
> > -----Original Message-----
> > From: Terry Davis [mailto:tdavis@birddog.com]
> > Sent: Friday, February 01, 2002 12:01 PM
> > To: squid-users@squid-cache.org
> > Subject: transparent proxy with transparent gateway (hrm)
> >
> >
> > This is a good one and perhaps I need to be slapped around a bit for
> > even suggesting it.
> >
> > I want to set up transparent proxying. I do not want to change the
> > default gw on my clients. Is there a way that I can set up an ethernet
> > bridge that 'listens' for port 80 connections and mangles those packets
> > so the destination address is the proxy server? I think I know the
> > answer to this but it's worth a shot.
> >
> > --
> > Terry Davis
> > Systems Administrator
> > BirdDog Solutions, Inc.
> > (402) 829-6059
> > www.birddog.com
> >
>
>
> --
> Terry Davis
> Systems Administrator
> BirdDog Solutions, Inc.
> (402) 829-6059
> www.birddog.com
>

-- 
Terry Davis
Systems Administrator
BirdDog Solutions, Inc.
(402) 829-6059
www.birddog.com
Received on Fri Feb 01 2002 - 14:20:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:08 MST