Re: [squid-users] Selecting source port on squid's requests

From: Dan Cave <[email protected]>
Date: Tue, 17 Dec 2002 11:07:16 -0000

Andrei

If you can, find out from your firewall admin if you can point your squid
cache at teh firewall's internal facing address on a internet facing port,
you can then use the cache_peer like this.

cache_peer <ip of firewall> parent <port> 0 no-query default

this will make your squid cache talk to the internet via your firewall.

I don't believe that you can configure squid to use a specifc range of IP
ports for outgoing requests as this is something thats handles in the ip
stack and by portmapper, the above directive will achieve this for you.

With regards to netfilter, are you doing transparent proxying between your
clients and your IP filter/squid proxy to the firewall? I'm not clear on
this?

Hope this makes sense.

dan

> How can I configure squid with acl based source port ranges for the
> requests squid makes to origin servers?
>
> Squid has the feature "tcp_outgoing_address" for selecting source IP for
> outgoing packets to servers and other caches.
>
> System is linux.
> I would like something like the following:
>
> acl net1 src 1.2.3.0/24
> acl net2 dst 2.3.4.0/24
> ... etc
>
> # using same notation as delay pool restore/max value
> tcp_outgoing_ports 10000/10999 allow net1
> tcp_outgoing_ports 11000/11999 allow net2
>
> On linux /proc/sys/net/ipv4/ip_local_port_range defines the range of
> source ports automatically assigned to a tcp/udp packet if source port
> is not specifically defined by the application.
> I want squid to use, for connection it makes to servers and other
> caches, ports in user-defined ranges, on acl rules.
>
> Reason for this is the following:
> - squid is behind a firewall
> - firewall is on another machine.
> - firewall uses multiple ISPs and does policy routing and traffic
> control.
>
> I have a squid proxy that serves some clients behind it and it can
> connect to the internet only through the firewall described above.
> I have 1 ip on squid and I can't touch it.
> I have to make a clear differentiation that is distinguishable at packet
> level by netfilter between different types of traffic handled by squid.
> Since rules include both destination networks and source networks
> (behind squid) and some url_regex (mainly cgi stuff), the above
> workaround is the only solution I could come up with that will make
> traffic generated by squid distinguishable to ipchains/iptables/tc
> filter...
>
> Any suggestions are welcome.
>
> Thank you.
>
> --
> Choose not to choose! Let Micro$oft do it for you!
> Or... the Penguin shall set you free...
> ------
> Andrix
> E-mail: mailto:andrix@fx.ro
> Web : http://members.tripod.com/andrei_b
Received on Tue Dec 17 2002 - 04:10:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:06 MST