On Wed, 15 Oct 2003, Daniel Barron wrote:
> For various reasons I need to run squid transparently proxying but not on
> the firewall.
Then you need to teach the firewall to route port 80 traffic to the Squid
server without chaning the destination IP address, and your Squid server
need to know to route all return traffic to the clients via the
firewall (well.. depending on the firewall and how in redirects port 80
traffic)
> To do this I have set the squid box as default route on the clients and
> configured squid 2.5 to work transparently. The squid box's default route
> is the firewall. Yes I know this is a bit odd but does have advantages
> such as when the firewall is an appliance that can't have squid installed.
This also works, but has drawbacks in that the Squid box becomes a single
point of failure for all your client Internet traffic, not just browsing.
> The problem is that the clients automagically reroute bypassing the squid
> box and go directly to the firewall. Thus not being transparently proxied.
You probably have not disabled sending of redirects in the TCP/IP stack of
the Squid server.
> I thought it might be icmp redirects so have switched it off in
> /proc/sys/net/ipv4/conf/*/send_redirects
>
> but this made no difference.
It should. There is no other mechanism whereby router clients can be told
to use another router.
Regards
Henrik
Received on Wed Oct 15 2003 - 14:45:14 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:30 MST