RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login

From: Clive Cleland <[email protected]>
Date: Sun, 16 Nov 2003 12:50:13 +1100

Raphael

Try setting MSS = 1400 for TCP connections from your clients (use this
number if your normal MSS is 1500/1476). This is done on the squid server,
not the client machines, as it is negotiated during TCP connection setup.

Under iptables, it is done using the following command:
        -A OUTPUT -d 1.2.3.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss
1400

I'm sorry I can't help with FreeBSD/ipfw. If you use 'ip route' to setup
routing, I believe it can also be done on a per-route basis.

The problem is that some sites use very large cookies. When the HTTP
request exceeds the size of one packet, the addition of the GRE header makes
the first packet too large, so it is dropped by the WCCP router.

By telling clients to limit their packet size, the addition of the GRE
overhead still results in legal packets. The smaller size should make
negligible difference in network performance, but perhaps you can tune this
to your needs? Also, you might be able to further restrict this to just
port 80 traffic?

Hopefully this at least gives you somewhere to look.

Clive

-----Original Message-----
From: Raphael Maseko [mailto:ralph@zamnet.zm]
Sent: Sunday, 16 November 2003 4:02 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with
Yahoo/Hotmail login

Hi Fellow Listers,

I have been running squid-2.5.STABLE4 with transparent proxying using WCCP
V1 on FreeBSD 4.6.2 without any problems.

I have now installed the same version on FreeBSD 4.9.

Unlike in the previous version where I had to apply patches and hacks to get
the gre packets stripped by my BSD box, I used the "pseudo-device gre"
option in the kernel and set up the tunnel using the following:

ifconfig gre0 create
ifconfig gre0 My_Squid_IP 10.20.30.1 netmask 255.255.255.255 link1 tunnel
My_Squid_IP My_Router_IP up

and the following IPFW rules:

ipfw add 49 allow tcp from My_Squid_IP to any
ipfw add 50 fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in
(The ipfw is set to default to accept)

Here is a sample from the ipfw -a sh command:

00049 29586 2886034 allow tcp from My_Squid_IP to any
00050 29592 2493277 fwd 127.0.0.1,3128 tcp from any to any 80 in recv gre0
65535 101631 65282581 allow ip from any to any

The transparent proxy is working fine except when it comes to logging into
sites like yahoo and hotmail and reading webmail. The main page is accessed
but stalls and eventually fails on authentication.

I suspect that this has something to do with the gre tunnel and the way
packets that are not supposed to be cached are being treated.

Has anyone run into this problem and if so how did you deal with it? Please
help.

Thanks in advance.

Ralph
Received on Sat Nov 15 2003 - 18:50:16 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:20 MST