Hi folks, I see in Tom's documentation for Shorewall that he runs Squid transparently on a box in his DMZ rather than on his LAN, and I'm just curious why?
Without trying to speak for Tom, at least one to run Squid in a DMZ (or some other network besides the main internal net) is to allow true transparent proxying.
By definition, the clients of a transparent proxy do not realize they are actually using a proxy server. By putting the Squid box outside the main network, internal clients simply access web sites as before.
Routing/firewall rules on the Shorewall box can then direct all port 80 traffic to the Squid box, which will transparently proxy/cache the requests.
If the squid box was on the internal net, it would not be truely transparent to the clients, who could easily tell their requests were being proxied and answered by a local system. There would also be some amount of low-level confusion caused by this setup, perhaps enough to break basic web functionality (depends somewhat on exactly how everything is setup, as well as the OS's & TCPIP stacks involved).
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
