[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0 and squid
 Date:  Sat, 3 Mar 2007 09:25:24 +0000

In message <45E939AF dot 2010104 at gymszbad dot de>, Henning Andreseck
<AndreseckH at gymszbad dot de> writes
>Hi, thank you for your mail.
>i thougt about something: don't i need 2 NICs for sqid so that it is
>between the m0n0wall and the whol rest of the LAN? I'm not
>sure....sorry. Or does it work with just on NIC that the traffic goes
>in and comes out there?
>thank you

There are several possibilities for setting this up.  You could:

a) have two interfaces on the squid server and put it in-line before
m0n0wall which would allow you run an intercepting proxy without any
changes to m0n0wall.

b) use Lee's suggestion - you can tell m0n0wall to redirect any HTTP
traffic to the squid server which would only require a single interface
in the machine.  You would have to make sure that any traffic emanating
from the squid server is not caught by the same rule.  This would also
be an intercepting proxy.

c) as you originally suggested - tell m0n0wall to allow all traffic from
the squid server on the LAN and then drop all other traffic from
clients.  Force the clients to use the proxy by either manually
configuring them, configuring them with an auto-proxy config file or use
automatic detection (WPAD).

The last option is by far the best one.  An intercepting proxy
effectively breaks the rules - the client doesn't know anything about
the proxy and believes that it's talking to the destination server.
Using option c you'd also be able to authenticate users if required -
with options a & b the browser will refuse to perform proxy
authentication as it doesn't know there's a proxy!

I use option c on a network with about 3,500 client machines and at
least 2,000 'Internet' users and they authenticate to an LDAP server.



>Lee Sharp schrieb:
>> Henning Andreseck wrote:
>>> hi,
>>> i want to set up a squid before the m0n0wall. i thougt about deny all
>>> traffic from my lan ( to the WAN. and allow only the
>>> proxy. is this right? i'm not shure. can i get direct access for a
>>> maby with opening port 80&21 only for the ip of my server?
>>> thank you.
>> This is an old e-mail about mail servers, but should work for squid.
>> Jonathan De Graeve wrote:
>> >> Van: Matt Juszczak [mailto:matt at atopia dot net]
>> >> For a client, we need to redirect all outgoing port 25 connections
>> >> through the m0n0wall to a specific IP/port on the INTERNAL lan (so in
>> >> other words, capture all outgoing port 25 connections and redirect
>> > them to
>> >> a specific IP on port 25).... this is to force use of a specific SMTP
>> >> server seamlessly.
>> >>
>> >> Is this possible?
>> > Yes, put this between your nat tags
>> >
>> >         <rule>
>> >             <protocol>tcp</protocol>
>> >             <external-port>25</external-port>
>> >             <target>serveripinhere</target>
>> >             <local-port>25</local-port>
>> >             <interface>lan</interface>
>> >             <descr>redirect SMTP to LAN SMTP server</descr>
>> >         </rule>
>> >
>> > J.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk