When a request hits the firewall on port 80 (or whatever you configure
it to be), the packets are simply redirected to the destination
server. No, you don't need to run another server on the firewall. I
presume that the squid httpd was running on the inside server(squid
box), right?
PGP Fingerprint: 22 68 D5 18 7F 3D D2 28 38 97 90 97 17 55 61 59
GPG Fingerprint: D5C0 2D79 F517 EEB6 D30B 58B3 9E37 E7CA 47A9 56EE
Opinions expressed here do not necessarily express the opinions of
Mentor Graphics or its subsidiaries.
On Wed, 9 Aug 2000, Pranav A. Desai wrote:
> thanks guys!
>
> dave - your idea of having additional nics is not feasible in my case.
> i didnt mention it in my earlier mail, but its TrinityOS firewall, just
> for information sake. So that you can get a good idea. my firewall is
> almost as it is given by them. even my network setup is the same. they
> have mentioned it in their documentation that you can forward all port 80
> etc. connection to an internal masqueraded machine. i tried doing
> ipmasqadm as mentioned in there, but it didnt work.
>
> as for your second idea, its fine if all the clients are within the
> network. but i have to give access to clients outside the firewall. so
> they can't configure their browser to make the squid machine as the proxy,
> coz the IP of squid is not recognized outside the firewall.
>
> boyle - i did try doing ipmasqadm portfw .......
>
> do i have to start httpd service for accepting traffic ? coz i don't want
> to. i just want the server running firewall to forward http to the squid
> box.
>
> thanks again
>
> pranav
>
> *******************************************************************
>
> Pranav A. Desai
> 4309 Pease Street, Apt #6
> Houston, TX - 77023
> U.S.A.
>
> Home :- (713) 926-1045
>
> *******************************************************************
>
> On Thu, 10 Aug 2000, dave wrote:
>
> > hi,
> >
> > ipchains will only allow you to redirect to a local port on the host,
> >
> > ie: if squid was running on the local box (firewall) the you could do
> > ipchains -A input -s $any -d $any 80:80 -i eth0 -j REDIRECT 3128
> >
> > (you can bind squid to a different port but purpose remains the same)
> >
> > now if you dont want to run squid on the firewall you would have to route
> > the traffic to it, which effectively will route all internal traffic to
> > the squid box. You could then add your ipchains rulset on the squid box.
> > You would then have to configure another nic on the squid box to connect
> > to another nic on the firewall which would then route traffic to the wan
> > device. picture it like this:
> >
> > [clinet]--------[e0-firewall] [e2-firewall]-----[router/wan]
> > [e1-firewall] |
> > | |
> > | |
> > | |
> > [e0-squid]------------[e1-squid]
> >
> > so the firewall would effectively operate as redirector for traffic.
> > you could allow whatever other traffic passive traversal and redirect
> > squid.
> >
> > now does this seem insane? why do you want to house squid on a seperate
> > box anyway, you could as easily beef up a single box and run squid.
> >
> > NOW...heres the INSANE part, squid is a web proxy, browsers are web proxy
> > configurable, why dont you deny port 80 on the firewall from all hosts bar
> > the squid box and simply config all clients for squid proxying in their
> > browser settings.
> >
> > just an idea.
> >
> > regards,
> > dave.
> >
> > > hi!
> > > i have a firewall on a linux machine. its basically a packet filtering
> > > one. i have installed squid on one of the machine in my network.
> > > i want to redirect all http traffic coming to the firewall to this
> > > machine having squid. i dont want to install squid on the firewall, i
> > > just want it to forward all http packets to the squid machine.
> > > how can i do this?
> > > i tried a few things with ipchains.
> > >
> > > ipchains input -i eth1 -j accept -s $ALL -d $EXTIP 80
> > >
> > > but it didnt work.
> > > do i need to do anything specific.
> > >
> > >
> > >
> > > thank you
> > > --pranav.
> > > *******************************************************************
> > >
> > > Pranav A. Desai
> > > 4309 Pease Street, Apt #6
> > > Houston, TX - 77023
> > > U.S.A.
> > >
> > > Home :- (713) 926-1045
> > >
> > > *******************************************************************
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> > +-----------------------------+
> > | Dave Ryan |
> > | Default Security |
> > | http://www.default.org.uk |
> > +-----------------------------+
> >
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
