subject:"Re\: \[squid\-dev\] What should we do about these \*wrong\* wiki articles\?"

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-23 Thread Eliezer Croitoru

Well, I need to re-read these pages...

And I do understand when there are times it's needed and the examples are 
giving good reasons to why and when to use.

After I will re-read these wiki sections I will try to think about it again and 
reply.
Then if we will think that it's needed to write a wiki page or to rewrite the 
wiki page order or structure I will try to offer a better version.

Thanks,
Eliezer

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Sunday, July 23, 2017 02:21
To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles?

On 23/07/17 09:22, Eliezer Croitoru wrote:
> As I understood the article the DNAT is from another box ie "the router" to 
> the squid box.
> If I understood it wrong and didn't read properly I will re-read them and see 
> in what I am wrong.

see the Details section notes.

You are right about the cross-machine DNAT use-case no longer existing. 
We keep them both in the wiki because they still meet other use-cases:

* REDIRECT copes best for machines and black-box situations where one 
never knows in advance what network it will be plugged into. Such as 
products that will be sold as plug-and-play proxy caches, or to minimize 
config delays on VM images that get run up by the dozen and 
automatically assigned IPs.

However it always NAT's the dst-IP to the machines primary-IP. So is 
limited to the ~64K receiving socket numbers that IP can privide. It 
also spends some CPU cycles looking that IP up on each new TCP connection.

* DNAT copes best for high performance and security installations where 
explicit speed or control of the packets outweighs the amount of effort 
needed to configure it properly.

It is not doing any primary-IP stuff so is slightly faster than 
REDIRECT, and multiple DNAT rules can be added for each IP the machine 
has - avoiding the ~64K limit. BUT requires the admin to know in advance 
exactly what the IPs of the proxy will be. And the IP assignment, 
iptables rules and squid.conf settings are locked together - if any 
change they all need to. Lots of work to reconfigure any of it, even if 
automated. But, also lots of certainty about what the packets are doing 
for the security paranoid.

Those properties are generic, not just in relation to Squid.

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-22 Thread Amos Jeffries


On 23/07/17 09:22, Eliezer Croitoru wrote:

As I understood the article the DNAT is from another box ie "the router" to the 
squid box.
If I understood it wrong and didn't read properly I will re-read them and see 
in what I am wrong.


see the Details section notes.


You are right about the cross-machine DNAT use-case no longer existing. 
We keep them both in the wiki because they still meet other use-cases:



* REDIRECT copes best for machines and black-box situations where one 
never knows in advance what network it will be plugged into. Such as 
products that will be sold as plug-and-play proxy caches, or to minimize 
config delays on VM images that get run up by the dozen and 
automatically assigned IPs.


However it always NAT's the dst-IP to the machines primary-IP. So is 
limited to the ~64K receiving socket numbers that IP can privide. It 
also spends some CPU cycles looking that IP up on each new TCP connection.



* DNAT copes best for high performance and security installations where 
explicit speed or control of the packets outweighs the amount of effort 
needed to configure it properly.


It is not doing any primary-IP stuff so is slightly faster than 
REDIRECT, and multiple DNAT rules can be added for each IP the machine 
has - avoiding the ~64K limit. BUT requires the admin to know in advance 
exactly what the IPs of the proxy will be. And the IP assignment, 
iptables rules and squid.conf settings are locked together - if any 
change they all need to. Lots of work to reconfigure any of it, even if 
automated. But, also lots of certainty about what the packets are doing 
for the security paranoid.



Those properties are generic, not just in relation to Squid.

Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-22 Thread Eliezer Croitoru

As I understood the article the DNAT is from another box ie "the router" to the 
squid box.
If I understood it wrong and didn't read properly I will re-read them and see 
in what I am wrong.
Squid doesn't like to act as intercept proxy and to have the destination ip and 
port as itself ie:
Client ip is 192.168.0.30
Squid ip is 192.168.1.40
Router sits at 192.168.0.254
Router does DNAT form 192.168.0.0/24 dst port 80 to squid ip:port ie 
192.168.1.30:3129

Am I missing something about this wrong picture?

Thanks,
Eliezer

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Friday, July 21, 2017 17:15
To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles?

On 22/07/17 01:54, Eliezer Croitoru wrote:
> It's not the MASQARADE that is bad
> It's the DNAT rule which removes the original destination ip and port.
> 

I fail to see how NAT behaving as NAT always has done makes those articles 
*about NAT features* "aren't up-to-date and are misleading admins"

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-21 Thread Amos Jeffries


On 22/07/17 01:54, Eliezer Croitoru wrote:

It's not the MASQARADE that is bad
It's the DNAT rule which removes the original destination ip and port.



I fail to see how NAT behaving as NAT always has done makes those 
articles *about NAT features* "aren't up-to-date and are misleading admins"



Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-21 Thread Eliezer Croitoru

It's not the MASQARADE that is bad
It's the DNAT rule which removes the original destination ip and port.

Eliezer

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Friday, July 21, 2017 15:42
To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles?

On 21/07/17 21:17, Eliezer Croitoru wrote:
> Hey List,
> 
> I have seen that these articles aren't up-to-date and are misleading admins.
> The first step to my opinion would be to add a warning at the top of the
> articles that these are  obsolete and should not be used.
> Then fix the article content and redirect toward PBR\FBF\Other routing to
> the squid box example and eventually removing these examples from the wiki.
> 
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28
> masquerade%29
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight
> =%28masquerade%29
> 
> What do you think?

Whats wrong with MASQUERADE ?

AFAIK it is still the best way to have the OS automatically assign 
outgoing IPs in the presence of NAT - an operation which the default 
configuration of Squid assumes to be happening.

If the admin knows sufficiently about iptables/netfilter to specifically 
setup something other than MASQUERADE properly they already know not to 
enter that line.

NP: the mention of IPv6 not being supported is wrong nowdays. That could 
be replaced by a note specifically for old kernel versions.

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-21 Thread Amos Jeffries


On 21/07/17 21:17, Eliezer Croitoru wrote:

Hey List,

I have seen that these articles aren't up-to-date and are misleading admins.
The first step to my opinion would be to add a warning at the top of the
articles that these are  obsolete and should not be used.
Then fix the article content and redirect toward PBR\FBF\Other routing to
the squid box example and eventually removing these examples from the wiki.

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28
masquerade%29
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight
=%28masquerade%29

What do you think?


Whats wrong with MASQUERADE ?

AFAIK it is still the best way to have the OS automatically assign 
outgoing IPs in the presence of NAT - an operation which the default 
configuration of Squid assumes to be happening.


If the admin knows sufficiently about iptables/netfilter to specifically 
setup something other than MASQUERADE properly they already know not to 
enter that line.



NP: the mention of IPv6 not being supported is wrong nowdays. That could 
be replaced by a note specifically for old kernel versions.


Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

2017-07-21 Thread Kinkie

Everyone's invited to improve the contents in any way they see
reasonable. Please, just go ahead :)

On Fri, Jul 21, 2017 at 10:17 AM, Eliezer Croitoru  wrote:
> Hey List,
>
> I have seen that these articles aren't up-to-date and are misleading admins.
> The first step to my opinion would be to add a warning at the top of the
> articles that these are  obsolete and should not be used.
> Then fix the article content and redirect toward PBR\FBF\Other routing to
> the squid box example and eventually removing these examples from the wiki.
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28
> masquerade%29
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight
> =%28masquerade%29
>
> What do you think?
>
> Eliezer
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
>
>
> ___
> squid-dev mailing list
> squid-dev@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev



-- 
Francesco
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] What should we do about these wrong wiki articles?

Re: [squid-dev] What should we do about these wrong wiki articles?

Re: [squid-dev] What should we do about these wrong wiki articles?

Re: [squid-dev] What should we do about these wrong wiki articles?

Re: [squid-dev] What should we do about these wrong wiki articles?

Re: [squid-dev] What should we do about these wrong wiki articles?

Re: [squid-dev] What should we do about these wrong wiki articles?

7 matches

Site Navigation

Mail list logo

Footer information