Bevan wrote on 05/06/15 13:17:
Unless I am reading this wrong that is what I am reading here on the
below links.
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
https://squidproxy.wordpress.com/2014/12/19/squid-3-2-mythbusting-nat/
I observe that the NAT comment is under the *Workaround* heading and not
under the heading of *Fix*.
What it says is untrusted users could talk to the squid process directly
and do "bad things"
Is there a risk of untrusted malicious users being on the network
between pfsense and squid box?
I expect all the untrusted users would be on the captive portal of the
pfsense box.
Have you considered moving squid to the pfsense box, which satisfies a
suggested workaround "ensure that NAT is performed on the same box as Squid"
To repeat - a network map or diagram would help with understanding your
layout.
--
CF
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
