[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0 and squid
 Date:  Sun, 4 Mar 2007 21:54:23 +0000

        please don't bother to copy mails to me and the list, just the
list will do (I read them all).  Also, please configure Thunderbird to
send plain text messages only to the list.  And finally, please try not
to top post as it's very easy to lose the thread of messages. Otherwise,
please find relevant comments below:

In message <45EAA9E0 dot 9000906 at gymszbad dot de>, Henning Andreseck
<AndreseckH at gymszbad dot de> writes
>Thank you very much Neil,
>so for option c i only need one interface, is that right? im new to
>this, sorry. But i'm reading the Squid-Handbook :)
>so i will try option c.

That's correct.  For example - if your LAN is 192.168.0/24, your
m0n0wall is and your proxy is then all of your
clients will need to point to (assuming squid is
running on the default port).

You can then either set the rules as follows:

Allow to go to port 80 on the Internet
Deny everything else


Deny ! to port 80
Allow LAN to Internet

It very much depends on how you want to configure things.  I'd use the
first in a corporate environment (everything that isn't allowed is
denied) and the second in a home network where I don't mind my clients
going directly for non-standard ports, etc.

Take a look at http://en.wikipedia.org/wiki/Wpad for detailed
information on WPAD and the external links give further information.



>Neil A. Hillard schrieb:
>  Hi,
>  In message <45E939AF dot 2010104 at gymszbad dot de>, Henning Andreseck
>  <AndreseckH at gymszbad dot de> writes
>> Hi, thank you for your mail.
>>    i thougt about something: don't i need 2 NICs for sqid so that it
>>    is
>>    between the m0n0wall and the whol rest of the LAN? I'm not
>>    sure....sorry. Or does it work with just on NIC that the traffic
>>    goes
>>    in and comes out there?
>>    thank you
>  There are several possibilities for setting this up.  You could:
>  a) have two interfaces on the squid server and put it in-line before
>  m0n0wall which would allow you run an intercepting proxy without any
>  changes to m0n0wall.
>  b) use Lee's suggestion - you can tell m0n0wall to redirect any HTTP
>  traffic to the squid server which would only require a single
>  interface
>  in the machine.  You would have to make sure that any traffic
>  emanating
>  from the squid server is not caught by the same rule.  This would
>  also
>  be an intercepting proxy.
>  c) as you originally suggested - tell m0n0wall to allow all traffic
>  from
>  the squid server on the LAN and then drop all other traffic from
>  clients.  Force the clients to use the proxy by either manually
>  configuring them, configuring them with an auto-proxy config file or
>  use
>  automatic detection (WPAD).
>  The last option is by far the best one.  An intercepting proxy
>  effectively breaks the rules - the client doesn't know anything
>  about
>  the proxy and believes that it's talking to the destination server.
>  Using option c you'd also be able to authenticate users if required
>  -
>  with options a & b the browser will refuse to perform proxy
>  authentication as it doesn't know there's a proxy!
>  I use option c on a network with about 3,500 client machines and at
>  least 2,000 'Internet' users and they authenticate to an LDAP
>  server.
>  HTH,
>                                  Neil.
>> Lee Sharp schrieb:
>>>   Henning Andreseck wrote:
>>>>     hi,
>>>>        i want to set up a squid before the m0n0wall. i thougt
>>>>        about deny all
>>>>        traffic from my lan ( to the WAN. and allow
>>>>        only the
>>>>        proxy. is this right? i'm not shure. can i get direct
>>>>        access for a
>>>>        server?
>>>>        maby with opening port 80&21 only for the ip of my server?
>>>>        thank you.
>>>      This is an old e-mail about mail servers, but should work for
>>>      squid.
>>>      Jonathan De Graeve wrote:
>>>>>    Van: Matt Juszczak [mailto:matt at atopia dot net]
>>>>>                    For a client, we need to redirect all outgoing port 25
>>>>>          connections
>>>>>          through the m0n0wall to a specific IP/port on the
>>>>>          INTERNAL lan (so in
>>>>>          other words, capture all outgoing port 25 connections
>>>>>          and redirect
>>>>           them to
>>>>>       a specific IP on port 25).... this is to force use of a
>>>>>          specific SMTP
>>>>>          server seamlessly.
>>>>>          Is this possible?
>>>>     Yes, put this between your nat tags
>>>>                <rule>
>>>>                    <protocol>tcp</protocol>
>>>>                    <external-port>25</external-port>
>>>>                    <target>serveripinhere</target>
>>>>                    <local-port>25</local-port>
>>>>                    <interface>lan</interface>
>>>>                    <descr>redirect SMTP to LAN SMTP server</descr>
>>>>                </rule>
>>>>        J.
>>>      ---------------------------------------------------------------------
>>>      To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>      For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk