Recently, Henrik Nordstrom talked about "Re: squid.conf (udp_incoming/outgoing_address)", and said
>
> Matthew Petach wrote:
>
> > Hm. Can the tcp_incoming_address be set to 0.0.0.0
> > to have Squid listen for incoming connections sent
> > to ANY ip address on port 80 when running in
> > acceleration mode, to act as a transparent
> > proxy without needing the ip firewall/NAT
> > address translation portion?
>
> No. Binding to 0.0.0.0 is the default, listen on all available
> interfaces.
Hm. All *available* interfaces. What about running the NIC
in promiscuous mode, and simply having squid listen for ANY
inbound packet destined for whatever port the conf file specifies?
That way, you can remove the requirement for the ipfwadm, etc.
> Transparent proxying using ipfwadm, ipfilter or another network
> translation tool is a different issue. Here you have to force the host
> to accept ANY destination as local... If using ipfilter then Squid needs
> to be listening on the interface where the traffic is redirected, if
> using ipfwadm then Squid needs to be listening on 127.0.0.1.. The
> default 0.0.0.0 is fine in all cases.
Right; my argument is that it would be nice to be able to have Squid
have this capability, since all it entails is setting the interface
into promiscuous mode, and listening for any port destined for a
given port. That way, transparent proxying simply becomes a matter
of setting some config file options, and having a startup wrapper
that runs as root just long enough to change the network interface
mode to promiscuous, then setuid to the squid user. And, a big
warning in the FAQ and readme file that it is not recommended that
Squid be run in promiscuous mode on shared machines, due to security
concerns.
> ---
> Henrik Nordström
> Sparetime Squid Hacker
Matt
-- InterNex Information Services | Matthew Petach {MP59} Senior Network Engineer | mpetach@internex.net 2306 Walsh Avenue | Tel: (408) 327-2211 Santa Clara, CA 95051 | Fax: (408) 496-5484Received on Sat Feb 28 1998 - 18:27:38 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:02 MST