[ previous ] [ next ] [ threads ]
 
 From:  "Frans King" <frans dot king at f333 dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Transparent HTTP proxy
 Date:  Sun, 13 Feb 2005 19:08:38 -0000 
Is this the reason for not including transparent proxy support in m0n0wall.
I'm curious to know if commercial firewalls/routers with this ability
exhibit the same issue with squid.

> -----Original Message-----
> From: alan walters [mailto:alan at aillweecave dot ie]
> Sent: 13 February 2005 16:13
> To: Frans King
> Subject: RE: [m0n0wall] Transparent HTTP proxy
> 
> Ipfilter and an ipfirewall issue I think. Squid seems to keep running
> Ipfilter and iptables continue to forward requests.
> 
> And squid just ignores messages, happens every two or three weeks.
> Version 2.5.7 of squid is better with the latest iptables but it still
> happens
> Something in the redirect seems to corrupt the cache in squid
> I also when down this path with tcp redirectors but did not go very well.
> Squid 3 seems to be more stable in our test environment, but wehave a 30%
> hit to cache and 90 % traffic on proxy with proxy.pac configuration
> 
> -----Original Message-----
> From: Frans King [mailto:frans dot king at f333 dot net]
> Sent: 13 February 2005 12:54
> To: alan walters
> Subject: RE: [m0n0wall] Transparent HTTP proxy
> 
> How unstable? Is this an ipfilter redirect issue or something to do with
> squid? If ipfilter is a little shaky with handling the redirects I'll give
> tproxy (userland redirector) a try.
> 
> Cheers,
> 
> Frans
> 
> > -----Original Message-----
> > From: alan walters [mailto:alan at aillweecave dot ie]
> > Sent: 13 February 2005 03:31
> > To: Frans King
> > Subject: RE: [m0n0wall] Transparent HTTP proxy
> >
> > Transperent proxing is prone to issues in my experience.
> > I have yet to get a stable configuration working on
> > Either linux or bsd.
> >
> > The best solution that I use now is to setup a wpad.dat and proxy.pac
> > files in the root web directory of your gateway on port 80.
> >
> > Set the clients to automatically detect settings and they will use the
> > proxy. It workis well, and I just chroot the dir for the webserver and
> > keep admin server running on a different port.
> > Thttpd is good for this and is lightweight.
> >
> > Maybe the mono team has another solution that they could add into there
> > system
> >
> > Best of luck
> > a
> >
> > -----Original Message-----
> > From: Frans King [mailto:frans dot king at f333 dot net]
> > Sent: 13 February 2005 01:51
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: RE: [m0n0wall] Transparent HTTP proxy
> >
> > > -----Original Message-----
> > > From: MrManiac's Listings [mailto:mrmaniac dot lists at gmail dot com]
> > > Sent: 13 February 2005 00:19
> > > To:
> > > Subject: Re: [m0n0wall] Transparent HTTP proxy
> > >
> > > Hi!
> > > Is it your intention, that squid runs on port 8080, but your redirect
> > > rule points to port 3128?
> > >
> > >
> > > On Sat, 12 Feb 2005 19:38:55 -0000, Frans King <frans dot king at f333 dot net>
> > > wrote:
> > > > I read in the m0n0wall documentation that transparent proxying is
> > not
> > > > supported because of the issue of figuring out what the actual HTTP
> > > request
> > > > is. I have pretty much the same situation as described here
> > > >
> > >
> > http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=106&actionarg
> > s%
> > > 5B
> > > > %5D=46:
> > > >
> > > > WAN
> > > > |
> > > > |
> > > > M0n0-----DMZ (proxy server = 10.0.1.2)
> > > > |
> > > > |
> > > > |
> > > > LAN (clients - 10.0.0.0/28)
> > > >
> > > > The idea is to have HTTP traffic forced through the proxy server
> > which
> > > is in
> > > > fact possible with m0n0wall and squid under linux.
> > > >
> > > > I followed the squid docs on transparent proxies
> > > > (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) adding these lines:
> > > >
> > > > http_port 8080
> > > > httpd_accel_host virtual
> > > > httpd_accel_port 80
> > > > httpd_accel_with_proxy  on
> > > > httpd_accel_uses_host_header on
> > > >
> > > > to my squid.conf so that squid recognizes hijacked connections.
> > > >
> > > > Then I added a redirect rule in m0n0wall via exec.php:
> > > >
> > > > cat "rdr rl0 0/0 port http -> 10.0.1.2 port 3128" > rules
> > > > ipnat -f rules
> > > >
> > > > And low and behold any traffic on port 80 going into my LAN
> > interface is
> > > > redirected to the squid proxy.
> > > >
> > > > Obviously this will not work for situations where the proxy server
> > > resides
> > > > on the LAN interface but with some tweaking of the redirect rule it
> > > should
> > > > be possible.
> > > >
> > > > Also I don't know about other proxy servers and whether they can
> > > intercept
> > > > hijacked connections.
> > > >
> > > > Regards,
> > > >
> > > > Frans
> > > >
> > > >
> > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> > No squid is running on 3128 but if wanted to run squid on 8080 then all
> > I
> > would need to do is alter the redirect rule to direct traffic to 8080
> > instead of 3128.
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> 
> 
> 
> 
> 
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005
> 
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005
>