Re: MSIE automatic proxy config
Shachar Shemesh wrote: You will find that your solution forwards ALL outbound packets to the proxy machine. Not just those aimed at port 80. You are then left with my original problem - I don't want to penalise the entire office traffic with an extra hop (actually - extra two hops and a routing loop in your solution), just because I want to implement a transperant proxy. A much simpler solution for me is to block all communication to port 80 outbound, and force everyone to manually configure the proxy or they don't get web access. And once again I must say: "Don't think so 3rd layer, JeanLuke". I was about to explain how to build a 2d level (OSI) bridiging proxy but someone already did: http://perso.wanadoo.fr/magpie/EtherDivert.html No extra hop, no need for another subnet, batteries not included... I do suggest however, you use the new bridge patch ported from 2.4.0-testx that can be found at http://www.openrock.net/bridge and not the original 2.2.x bridiging code. Gilad. -- Gilad Ben-Yossef [EMAIL PROTECTED] http://kagoor.com | +972(9)9565333 x230 | +972(54)756701 "I've been seduced by the chocolate side of the force." = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gilad Ben-Yossef wrote: And once again I must say: "Don't think so 3rd layer, JeanLuke". I am not, number 1. I was about to explain how to build a 2d level (OSI) bridiging proxy but someone already did: http://perso.wanadoo.fr/magpie/EtherDivert.html No extra hop, no need for another subnet, batteries not included... Oh, but you do add an extra hop. The fact that no IP protocol is aware of that does not change the fact that you now require all your traffic to be directed through your box. The box still acts as a router (actually, a bridge, but same difference), and the performance penalties are still being payed (though I have to admit that it's probably less of a penalty). I do suggest however, you use the new bridge patch ported from 2.4.0-testx that can be found at http://www.openrock.net/bridge and not the original 2.2.x bridiging code. Gilad. Actually, I'll stick with forcing everyone to move to an explicit proxy by means of filtering. I do have access to the router. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
On Sun, 27 Aug 2000, Shachar Shemesh wrote: maybe you should start thinking then ;) . if a "regular router" = cisco - then, yes, it can do that, and much more (depending on the version of its IOS). Maybe, but not as explained in your email. actually, _exactly_ as explained in my email. this will done done with no address translation on the router - it just is told that the 'next hop' towards the target address, The "target address" is the entire internet. You are referring to the default route? no. i think what i'm refering to falls under the specification of "policy routing". is the proxy machine. that proxy machine then needs to understand (via normal routing rules) that any packet it received, targeted for port 80 and an IP that does not belogn to the local machine, should be injected into the proxy server's module. that doesn't _have_ to be implemented using NAT (althoguht it _might_ be done this way if it simplifies stuff). Yes, I agree. I have no problem with inplementing NAT on the proxy machine, BUT... _if_ at all one needs NAT for that... or NAT in _any_ classical sense of the word (according to your broad definitions, any using of a proxy server is actually an introduction of NAT, since not the original machine's addres is being shown in the FROM address of the packet being sent out, but a different one (that of the proxy). You will find that your solution forwards ALL outbound packets to the proxy machine. Not just those aimed at port 80. actually, i won't. i'm talking of something that is actually used and works as stated. i'm not sure how proficient you are with Cisco's IOS - you might want to read their documentation before you state that this cannot be done - because it is already being done. in fact, if one bothers reading IOS's docs, one can do all sorts of non-standard things with their routers. You are then left with my original problem - I don't want to penalise the entire office traffic with an extra hop (actually - extra two hops and a routing loop in your solution), just because I want to implement a transperant proxy. A much simpler solution for me is to block all communication to port 80 outbound, and force everyone to manually configure the proxy or they don't get web access. simpler to whome exactly? btw, please note that normally in our holy land, access bandwidth used to a proxy server is MUCH MUCH smaller then the capacity of the LAN on which this access is performed, so under common israely circumstances, this waiste of resources is not realy an issue. surely, things are better if all rowsers aer proeprly configured (less bandwidth waisted, about 1-3 milliseconds saved for each HTTP connection, and less router CPU cycles are waisted) but sometimes it's easier and cheaper to support transparent proxying in this way, then to support users with setting up the proxy properly. and since i think we're loosing our on-topicness by the minute here, i think that if you still question Cisco's IOS features, we'll move this discussion to private email. guy "For world domination - press 1, or dial 0, and please hold, for the creator." -- nob o. dy = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
guy keren wrote: _if_ at all one needs NAT for that... or NAT in _any_ classical sense of the word (according to your broad definitions, any using of a proxy server is actually an introduction of NAT, since not the original machine's addres is being shown in the FROM address of the packet being sent out, but a different one (that of the proxy). guy Actually, NAT by the classical definition is any situation in which a "router" modifies the packets it routes, but does leave the essence there. What you call "NAT", is actually called "IP Masquarading", and is a particular instance of NAT. A proxy is not a NAT. This is both because the packets are aimed at it (which is not really the reason, as this holds true also of a transparent proxy), and because it then initiates a totally different TCP connection with the real machine. Different source IP, different TCP SYN numbering, different request. Everything is brand new. As for the topic I was refering to at the begining, I will look up policy routing on CISCO, even though it is not applicable to my particular case this time. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Shachar Shemesh wrote: Gilad Ben-Yossef wrote: And once again I must say: "Don't think so 3rd layer, JeanLuke". I am not, number 1. hehehe... I think in the moviwe it was the Borg Queen that said that ;-) I was about to explain how to build a 2d level (OSI) bridiging proxy but someone already did: http://perso.wanadoo.fr/magpie/EtherDivert.html No extra hop, no need for another subnet, batteries not included... Oh, but you do add an extra hop. The fact that no IP protocol is aware of that does not change the fact that you now require all your traffic to be directed through your box. The box still acts as a router (actually, a bridge, but same difference), and the performance penalties are still being payed (though I have to admit that it's probably less of a penalty). That's not so accurate. It is an extra hop if you consider "a hop" every piece of networking equipment the packet (or Ethernet frame) passed on it's merry way. But really - do you count the switches inside your LAN as hops? for me a "hop" is really a router, something that decreases TTL. A bridge is really not much then a repeater. The work that is being done on a frame (which is not intended for the Proxy) is much smaller with a bridge. In addition, you do not have to "create" antoher subnet for the bridge, you don't have to to change the router configuration for the bridge, you can replace the bridge with a simply CAT5 cable in case of need and you can put a switch in paralel to the bridge (giving it low STP priority) and get instant hot failover solution without doing much. In short - I understand why you say it is a hop, but the situation is rather different from a "real" hop. ..which isn't quite relevant to the question wether you want to install another machine or not just so the lusers can get their pr0n faster ;-) -- Gilad Ben-Yossef [EMAIL PROTECTED] http://kagoor.com | +972(9)9565333 x230 | +972(54)756701 "I've been seduced by the chocolate side of the force." = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Hi Guy and everyone, guy keren wrote: maybe you should start thinking then ;) . if a "regular router" = cisco - then, yes, it can do that, and much more (depending on the version of its IOS). Maybe, but not as explained in your email. this will done done with no address translation on the router - it just is told that the 'next hop' towards the target address, The "target address" is the entire internet. You are referring to the default route? is the proxy machine. that proxy machine then needs to understand (via normal routing rules) that any packet it received, targeted for port 80 and an IP that does not belogn to the local machine, should be injected into the proxy server's module. that doesn't _have_ to be implemented using NAT (althoguht it _might_ be done this way if it simplifies stuff). Yes, I agree. I have no problem with inplementing NAT on the proxy machine, BUT... guy You will find that your solution forwards ALL outbound packets to the proxy machine. Not just those aimed at port 80. You are then left with my original problem - I don't want to penalise the entire office traffic with an extra hop (actually - extra two hops and a routing loop in your solution), just because I want to implement a transperant proxy. A much simpler solution for me is to block all communication to port 80 outbound, and force everyone to manually configure the proxy or they don't get web access. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gilad Ben-Yossef wrote: Gavrie Philipson wrote: Why would the router have to perform NAT? It just has to block outgoing connections to port 80, and reroute them to the port that Squid listens on. Routing the packets meant for the remote web server to the proxy wont do any good. The proxy only listens to packets meant for it. Therefore the route will have to re-write the packets so that they seem to be directed to the proxy server. By definition, this is Network Address Translation, although it is different from the more common case where the reasoning is to hide many machines behind one pi. You are mistaken. When Squid is configured in transparent mode, it'll listen to all packets passing through it -- no address translation needed. See, for example, http://www.unxsoft.com/transproxy-linux21-squid2.html for details. Ah... but this page specifically (item #7) instruct the seekers of transparent proxies to turn on the *kernel* IPchains firewalling/NAT code on and use it's transparent proxy option. What this option does is rewriting packets going through the machine (the "forward" chain, in IPChains speak) to reach a local socket instead. Now I agree that the packets are never released unto the network, but they are rewritten so that the local machine IP stack will send them to the local socket. You know what, it's a border line case. Let's call it a draw ;-) -- Gilad Ben-Yossef [EMAIL PROTECTED] http://kagoor.com | +972(9)9565333 x230 | +972(54)756701 "I've been seduced by the chocolate side of the force." = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gilad Ben-Yossef wrote: Ah... but this page specifically (item #7) instruct the seekers of transparent proxies to turn on the *kernel* IPchains firewalling/NAT code on and use it's transparent proxy option. What this option does is rewriting packets going through the machine (the "forward" chain, in IPChains speak) to reach a local socket instead. Now I agree that the packets are never released unto the network, but they are rewritten so that the local machine IP stack will send them to the local socket. You know what, it's a border line case. Let's call it a draw ;-) -- Gilad Ben-Yossef [EMAIL PROTECTED] http://kagoor.com | +972(9)9565333 x230 | +972(54)756701 "I've been seduced by the chocolate side of the force." Actually, I don't believe in draws. Either I need to route all my traffic through the linux machine, or I don't. If I do - I don't care whether NAT is being employed or not. If I don't, I don't care either. What I see here is that I need to install on my router a rule that says, more or less, "If the packet is destined to go to port 80 of any machine, route it to the proxy, otherwise, route it usually". I don't think a regular router can do such a thing. I don't even think that CheckPoint's FW-1 can do such a thing. It can do exactly what I wanted to begin with (i.e. - change packets so that they all go to the proxy machine), but that's a NAT again. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gavrie Philipson wrote: Whatever you call it, it's not something specific to Linux. I have no experience with Checkpoint firewalls (IIRC, that's what Shachar mentioned), but surely they can redirect a packet from one port to another one? Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. Actually, since the TCP port is part of the TCP header, which is in turn a part of the IP message, you must be able to rewrite an IP packet in order to do this forwarding you mention. Being able to do that qualifies you as a NAT. Yes, CheckPoint FireWalls can do that, because they can do NAT. A router cannot do that. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gavrie Philipson wrote: GWhatever you call it, it's not something specific to Linux. I have no experience with Checkpoint firewalls (IIRC, that's what Shachar mentioned), but surely they can redirect a packet from one port to another one? Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. P.S. CheckPoint FW's can also do transperant proxying for HTTP (for security reasons) directly. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Shachar Shemesh wrote: Gilad Ben-Yossef wrote: You know what, it's a border line case. Let's call it a draw ;-) Actually, I don't believe in draws. Either I need to route all my traffic through the linux machine, or I don't. If I do - I don't care whether NAT is being employed or not. If I don't, I don't care either. What I see here is that I need to install on my router a rule that says, more or less, "If the packet is destined to go to port 80 of any machine, route it to the proxy, otherwise, route it usually". I don't think a regular router can do such a thing. I don't even think that CheckPoint's FW-1 can do such a thing. It can do exactly what I wanted to begin with (i.e. - change packets so that they all go to the proxy machine), but that's a NAT again. Yes, Firewall-1 supports it (and calls it NAT too! ;-) . See http://www.phoneboy.com/fw1/faq/0022.html -- Gilad Ben-Yossef [EMAIL PROTECTED] http://kagoor.com | +972(9)9565333 x230 | +972(54)756701 "I've been seduced by the chocolate side of the force." = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
On Thu, 24 Aug 2000, Shachar Shemesh wrote: What I see here is that I need to install on my router a rule that says, more or less, "If the packet is destined to go to port 80 of any machine, route it to the proxy, otherwise, route it usually". I don't think a regular router can do such a thing. maybe you should start thinking then ;) . if a "regular router" = cisco - then, yes, it can do that, and much more (depending on the version of its IOS). this will done done with no address translation on the router - it just is told that the 'next hop' towards the target address, is the proxy machine. that proxy machine then needs to understand (via normal routing rules) that any packet it received, targeted for port 80 and an IP that does not belogn to the local machine, should be injected into the proxy server's module. that doesn't _have_ to be implemented using NAT (althoguht it _might_ be done this way if it simplifies stuff). guy "For world domination - press 1, or dial 0, and please hold, for the creator." -- nob o. dy = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Shachar Shemesh wrote: Doesn't that require that the router handling all the traffic be a NAT machine? At our place we currently have a CheckPoint FW-1 firewall, and I am not sure that it supports transperant proxying (though it is quite possible that it does, Linux isn't the only solution, you know). I don't think adding another machine will be a good idea. Shachar, Why would the router have to perform NAT? It just has to block outgoing connections to port 80, and reroute them to the port that Squid listens on. Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gavrie Philipson wrote: Shachar Shemesh wrote: Doesn't that require that the router handling all the traffic be a NAT machine? At our place we currently have a CheckPoint FW-1 firewall, and I am not sure that it supports transperant proxying (though it is quite possible that it does, Linux isn't the only solution, you know). I don't think adding another machine will be a good idea. Why would the router have to perform NAT? It just has to block outgoing connections to port 80, and reroute them to the port that Squid listens on. Routing the packets meant for the remote web server to the proxy wont do any good. The proxy only listens to packets meant for it. Therefore the route will have to re-write the packets so that they seem to be directed to the proxy server. By definition, this is Network Address Translation, although it is different from the more common case where the reasoning is to hide many machines behind one pi. Gilad. -- Gilad Ben-Yossef [EMAIL PROTECTED] http://kagoor.com | +972(9)9565333 x230 | +972(54)756701 "I've been seduced by the chocolate side of the force." = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gilad Ben-Yossef wrote: Gavrie Philipson wrote: Shachar Shemesh wrote: Doesn't that require that the router handling all the traffic be a NAT machine? At our place we currently have a CheckPoint FW-1 firewall, and I am not sure that it supports transperant proxying (though it is quite possible that it does, Linux isn't the only solution, you know). I don't think adding another machine will be a good idea. Why would the router have to perform NAT? It just has to block outgoing connections to port 80, and reroute them to the port that Squid listens on. Routing the packets meant for the remote web server to the proxy wont do any good. The proxy only listens to packets meant for it. Therefore the route will have to re-write the packets so that they seem to be directed to the proxy server. By definition, this is Network Address Translation, although it is different from the more common case where the reasoning is to hide many machines behind one pi. You are mistaken. When Squid is configured in transparent mode, it'll listen to all packets passing through it -- no address translation needed. See, for example, http://www.unxsoft.com/transproxy-linux21-squid2.html for details. Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
MSIE automatic proxy config
hi I have a linux proxy (squid) and a linux dhcpd. how do i config a client MSIE to automaticaly find the proxy ? thanks erez = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
On Tue, 22 Aug 2000, Erez Doron wrote: hi I have a linux proxy (squid) and a linux dhcpd. how do i config a client MSIE to automaticaly find the proxy ? See the squid docs for some information about client autoconfiguration (works for netscape and IE). For me this (together with a sample from http://www.technion.ac.il/proxy.pac) was enough. I don't think dhcp could be used here (can it?) However - I have no idea what is IE's "automatic proxy configuration". Anybody? -- Tzafrir Cohen http://www.technion.ac.il/~tzafrir = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
you need to write a .pac file and to put it on a web server. then you use the automatic proxy configuration script on the IE connection. You can also use a transparent proxy so you will not have to configure anything. Mike --- Mofet Institute - Computer Dpt. +972-3-6901415 +972-52-562237 ~ - Original Message - From: "Erez Doron" [EMAIL PROTECTED] To: "ILUG" [EMAIL PROTECTED] Sent: Tuesday, August 22, 2000 11:02 AM Subject: MSIE automatic proxy config hi I have a linux proxy (squid) and a linux dhcpd. how do i config a client MSIE to automaticaly find the proxy ? thanks erez = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Tzafrir Cohen wrote: On Tue, 22 Aug 2000, Erez Doron wrote: hi I have a linux proxy (squid) and a linux dhcpd. how do i config a client MSIE to automaticaly find the proxy ? See the squid docs for some information about client autoconfiguration (works for netscape and IE). For me this (together with a sample from http://www.technion.ac.il/proxy.pac) was enough. If you have a large number of clients to configure, setting up a transparent proxy is the way to go. This way, nothing has to be configured on the clients at all. I use such a proxy at our company, and use it to filter banner ads too BTW. Docs to configure Squid transparently can be found on the Squid website. Recommended! Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: MSIE automatic proxy config
Gavrie Philipson wrote: If you have a large number of clients to configure, setting up a transparent proxy is the way to go. This way, nothing has to be configured on the clients at all. I use such a proxy at our company, and use it to filter banner ads too BTW. Docs to configure Squid transparently can be found on the Squid website. Recommended! Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. Doesn't that require that the router handling all the traffic be a NAT machine? At our place we currently have a CheckPoint FW-1 firewall, and I am not sure that it supports transperant proxying (though it is quite possible that it does, Linux isn't the only solution, you know). I don't think adding another machine will be a good idea. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]