Re: [squid-users] Transproxy & FW-1

From: Bizou <[email protected]>
Date: Wed, 20 Feb 2002 20:08:16 +0100

Yes true, i could also make my proxy listen on port 80, the problem would
only be to change the dest ip in the NAT process, the problem should be the
same in my mind

I've tried this configuration yesterday and the result is................ it
doesn't work cos FW-1 do not accept that the destination ip address is
changed in the NATed paquet since there is an ANY dst in the entering paquet

I've finally chosen the ipfilter solution with ipnat on a solaris,
For information, here is the ipfilter mechanism (ipnat occurs before routing
paquets) : http://coombs.anu.edu.au/~avalon/ipfil-flow.html

              IN
                                    |
                                    V
          +-------------------------+--------------------------+
          | | |
          | V |
          | Network Address Translation |
          | | |
          | authenticated | |
          | +-------<---------+ |
          | | | |
          | | V |
          | V IP Accounting |
          | | | |
          | | V |
          | | Fragment Cache Check--+ |
          | | | | |
          | V V V |
          | | Packet State Check-->+ |
          | | | | |
          | | +->--+ | | |
          | | | | V | |
          | V groups Firewall check V |
          | | | | | | |
          | | +--<-+ | | |
          | | | | |
          | +---------------->|<-----------+ |
          | | |
          | V |
          | +---<----+ |
          | | | |
          | function | |
          | | V |
          | +--->----+ |
          | | |
          | V |
       +--|---<--- fast-route ---<--+ |
       | | | |
       | | V |
       | +-------------------------+--------------------------+
       | |
       | pass only
       | |
       | V
       V [KERNEL TCP/IP Processing]
       | |
       | +-------------------------+--------------------------+
       | | | |
       | | V |
       | | Fragment Cache Check--+ |
       | | | | |
       | | V V |
       | | Packet State Check-->+ |
       | | | | |
       | | V | |
       V | Firewall Check | |
       | | | V |
       | | |<-----------+ |
       | | V |
       | | IP Accounting |
       | | | |
       | | V |
       | | Network Address Translation |
       | | | |
       | | V |
       | +-------------------------+--------------------------+
       | |
       | pass only
       V |
       +--------------------------->|
                                    V
                                   OUT

----- Original Message -----
From: "Joerg Fritsch" <joerg.fritsch@planet-interkom.de>
To: "Bizou" <bizou@chez.com>
Cc: <squid-users@squid-cache.org>
Sent: Tuesday, February 19, 2002 8:21 PM
Subject: Re: [squid-users] Transproxy & FW-1

> Hello,
>
> Why don't you trim your Proxy to listen on Port 80 ?
>
> Congratulations, you have read through the Checkpoint Docs very
> carefully. It is a Checkpoint Interna that routing occours before
> NATing. It means that when the packet enters your Firewall it will stay
> untouched on routed by the OS to the right interface and THEN Checkpoint
> will NAT it according to the rulebase.
>
> This is only mentioned because NATing might need additional arp entries
> and additional routes in a CheckpointHost, so that the packets will find
> there way. i.e. you might need a route an the CheckpointHost from
> @ip_dest to @ip_proxy.
>
> It will probably work, if not, your problem won't be a routing issue but
> the SRC "any". I dun know if any can be a SRC for NAT. Pls let me know
> if it works.
>
> --Joerg
>
> Am Montag den, 18. Februar 2002, um 19:50, schrieb Bizou:
>
> > Hello,
> >
> > can someone confirm me that it is possible to redirect traffic with
> > FW-1 :
> >
> > NAT SRC |
> > NAT DST
> > SRC@IP DST@IP service | SRC@IP DST@IP
> > service
> >
> > any any 80 | any
> > @ip_proxy 3128
> >
> > I'm wondering this cos i'll have a demo to make in a few days with
> > squid in
> > transproxy mode and FW-1 , but when i read FW-1 doc, it's written : "nat
> > occurs after packets are routed". So this would mean that if my squid
> > proxy
> > is not on the external NIC, it won't work.....
> >
> > Does someone have already tried this?
> >
> > Thanks
> >
> > David
> >
> >
>
Received on Wed Feb 20 2002 - 12:08:45 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:28 MST