Richard Chapman wrote:
> Amos Jeffries wrote:
>>
>> Squid itself won't. But the box underneath it will have firewall and
>> routing control you can use (assuming its a non-windows box).
>>
>> Amos
>
> Hi Amos
>
> I can see this is true where the squid box is also the internet router -
> but is it also true if the squid box is not the internet router - and is
> not dual homed? Currently the squid box has only one network connection
> - and the router function is handled by the netgear box. How much do I
> need to change to eliminate NAT altogether - and go to a mandatory proxy
> solution?
Thus my non-windows disclaimer. All such boxes have the capability by
default in the kernel and system. It just needs turning on and using.
>
> If it can be done without making the squid box dual homed - presumably I
> need to tell the clients (via dhcp) the squid box is the default router
> for the network - so they direct all proxy and non proxy traffic through
> it. Presumably it would need some fancy routing to then forward internet
> traffic correctly.
>
> If the linux box cant do the job without a second network interface -
> the other option would be to get a more functional internet router box.
> I am gradually forming the view that it is easier to maintain networks
> with lots of purpose built single function boxes - than single
> multifunction boxes which do everything - but then break everything when
> they need upgrades or otherwise fail... Of course this is only my
> opinion...:-)
>
> Many thanks for your advice.
There are three approaches that can be done software-only without new
hardware or topology. Two still involve NAT, one does not.
(1) Just firewall port 80 and port 443. Advertise squid via WPAD DHCP
and DNS both just in case. Force users to configure (a) manually or (b)
using 'auto-locate proxy'.
Pros: no NAT, low maintenance, some nasties get squashed as a by product.
Cons: WPAD can be nasty to setup initially.
(2) Policy Routing + Interception on the Squid box.
Pros: no non-HTTP traffic goes to the squid box. All the benefits of
having squid on the router itself.
Cons: it does still involve NAT, so if you ant 100% NAT-free this is
not the option. Somewhat complicated/confusing routing configuration for
some.
Details and config examples
athttp://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
Amos
>>>
>>>
>>> matthew jones wrote:
>>>> is there any need to use NAT. you could simply forward all data to
>>>> the squid by setting it's IP address as the DMZ server in the WAN
>>>> setup page. which would send all incomming DSL data to the IP address.
>>>>
>>>> if it's a tight network your after you should think about have the
>>>> squid dual homed, one connecting to the router/firewall and the
>>>> other to your network, thus forcing all data to pass through the
>>>> proxy. also the proxy may be proxying data on more ports than 80
>>>> such as https on port 4** ect.
>>>>
>>>> i have a GD834g too but havent tried the above as i use NAT and not
>>>> a proxy at home.
>>>>
>>>> matt.
>>>>
>>>> Richard Chapman wrote:
>>>>> I have squid operating well on a small NAT network. Currently - all
>>>>> clients select "automatic proxy detection" and that is all working
>>>>> correctly with proxy.pac script on the http server.
>>>>> I wanted to ensure that the proxy is handling ALL http traffic ALL
>>>>> of the time - so I can be confident of the statistics generated by
>>>>> sarg (squid analysis and report generator).
>>>>>
>>>>> I thought this should e easy. I have a netgear DG834G router acting
>>>>> as the internet DSL connection. I added 2 outgoing firewall rules
>>>>> in the Dg834G:
>>>>> 1) allow all going traffic from the squid servers local IP.
>>>>> 2) Block port 80 traffic from all (other) local ip addresses.
>>>>>
>>>>> When I apply these 2 rules - the network experiences erratic
>>>>> internet access. Some sites work some of the time - but not
>>>>> everything works correctly. I have tried disabling the above rules
>>>>> - then enabling just rule 1 - and even then the network behaves
>>>>> erratically. Note that rule 1 is an "allow" rule. But as soon as I
>>>>> disable both rules - everything returns to normal.
>>>>>
>>>>> This seems very weird to me. Can anyone suggest some subtlety I am
>>>>> overlooking?
>>>>> I have checked the netgear knowledge base and there are no glaring
>>>>> bugs reported related to this behaviour. I have updated to the
>>>>> latest netgear firmware. I can only assume the DG834 is not
>>>>> behaving as expected. Can anyone se another explanation?
>>>>>
>>>>> In case it is relevant - the linux box is performing squid, dns,
>>>>> dhcp, http and lots of other stuff but the dg834 is performing NAT
>>>>> (and only NAT).
>>>>>
>>>>> Thanks
>>>>>
>>>>> Richard.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3Received on Thu Jan 15 2009 - 06:58:27 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 15 2009 - 12:00:02 MST