[ previous ] [ next ] [ threads ]
 
 From:  edward mzj <edward dot mzj at gmail dot com>
 To:  Jeroen Visser <monowall at forty dash two dot nl>
 Cc:  Ryan Wagoner <Ryan at wgnrs dot dynu dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Settings For Squid Transparent Proxy
 Date:  Tue, 14 Feb 2006 09:12:31 +0800
that's why both rdr rule and map rule are needed on the lan interface

rdr on ${lan-if} ! from ${if-of-squid-box}/32 to any port = 80 ->
${ip-of-squid-box}/32 port 3128 tcp

map on ${lan-if} from ${lan-subnet} to ${ip-of-squid-box}/32 port =
3128 -> ${ip-of-lan-if}/32 portmap tcp auto

the 2nd rule ensure the reply from the squid-box to the web clients
would go through the m0n0-box.

2006/2/14, Jeroen Visser <monowall at forty dash two dot nl>:
> Last one on the Transparent Proxy stuph for me.....
>
> I got the files from Ryan and basically what they do is almost completely but not
> entirely (un)like what I did in the config. ;-)
>
> The settings just work fine, you can actually do an outbound nat on the LAN
> interface to your proxy server. No problem at all....
>
> But here come the thing I feel COMPLETELY stupid about not seeing this sooner,
> like in the first two seconds I looked at it. When putting the Proxy in your lan
> network, where you're clients are, you effectively rule out that entire subnet of
> using the proxy. Hence how:
>
> 1. The client "connects" to the web-page you want to see.
>
> 2. The firewall (m0n0) will translate the dest. IP to the proxy IP.
>
> 3. Your proxy IP will then want to return a packet,
>   stating that it's OK to connect to it.
>
> Here comes the trick.
>
> 4. Your client does think that packet has to come from your DESTINATION.
>   Not the proxy.
>
> 5. And since your proxy is inside the subnet your client is in, the
>   returning packet does NOT go through the m0n0wall and does NOT
>   get natted back to it's original IP.
>
> 6. Your clients sees this packet, originating from an other IP and discards is.
>
> 7. No Transparent proxy for you in the same subnet sir....
>
> Again, I feel a real NITWIT not seeing this sooner.
> Or did anyone ever post this before ? Then I will crawl back to kindergarten....
>
> (This e-mail does not reflect my current state of mind, I CAN actually laugh about
> it. Don't worry).
>
> --
> Jeroen Visser.
> --
> Sure, we know Unix, we've seen it in Jurassic Park...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>