Re: [squid-dev] What should we do about these *wrong* wiki articles?
Well, I need to re-read these pages... And I do understand when there are times it's needed and the examples are giving good reasons to why and when to use. After I will re-read these wiki sections I will try to think about it again and reply. Then if we will think that it's needed to write a wiki page or to rewrite the wiki page order or structure I will try to offer a better version. Thanks, Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Sunday, July 23, 2017 02:21 To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-dev@lists.squid-cache.org Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles? On 23/07/17 09:22, Eliezer Croitoru wrote: > As I understood the article the DNAT is from another box ie "the router" to > the squid box. > If I understood it wrong and didn't read properly I will re-read them and see > in what I am wrong. see the Details section notes. You are right about the cross-machine DNAT use-case no longer existing. We keep them both in the wiki because they still meet other use-cases: * REDIRECT copes best for machines and black-box situations where one never knows in advance what network it will be plugged into. Such as products that will be sold as plug-and-play proxy caches, or to minimize config delays on VM images that get run up by the dozen and automatically assigned IPs. However it always NAT's the dst-IP to the machines primary-IP. So is limited to the ~64K receiving socket numbers that IP can privide. It also spends some CPU cycles looking that IP up on each new TCP connection. * DNAT copes best for high performance and security installations where explicit speed or control of the packets outweighs the amount of effort needed to configure it properly. It is not doing any primary-IP stuff so is slightly faster than REDIRECT, and multiple DNAT rules can be added for each IP the machine has - avoiding the ~64K limit. BUT requires the admin to know in advance exactly what the IPs of the proxy will be. And the IP assignment, iptables rules and squid.conf settings are locked together - if any change they all need to. Lots of work to reconfigure any of it, even if automated. But, also lots of certainty about what the packets are doing for the security paranoid. Those properties are generic, not just in relation to Squid. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] What should we do about these *wrong* wiki articles?
On 23/07/17 09:22, Eliezer Croitoru wrote: As I understood the article the DNAT is from another box ie "the router" to the squid box. If I understood it wrong and didn't read properly I will re-read them and see in what I am wrong. see the Details section notes. You are right about the cross-machine DNAT use-case no longer existing. We keep them both in the wiki because they still meet other use-cases: * REDIRECT copes best for machines and black-box situations where one never knows in advance what network it will be plugged into. Such as products that will be sold as plug-and-play proxy caches, or to minimize config delays on VM images that get run up by the dozen and automatically assigned IPs. However it always NAT's the dst-IP to the machines primary-IP. So is limited to the ~64K receiving socket numbers that IP can privide. It also spends some CPU cycles looking that IP up on each new TCP connection. * DNAT copes best for high performance and security installations where explicit speed or control of the packets outweighs the amount of effort needed to configure it properly. It is not doing any primary-IP stuff so is slightly faster than REDIRECT, and multiple DNAT rules can be added for each IP the machine has - avoiding the ~64K limit. BUT requires the admin to know in advance exactly what the IPs of the proxy will be. And the IP assignment, iptables rules and squid.conf settings are locked together - if any change they all need to. Lots of work to reconfigure any of it, even if automated. But, also lots of certainty about what the packets are doing for the security paranoid. Those properties are generic, not just in relation to Squid. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] What should we do about these *wrong* wiki articles?
As I understood the article the DNAT is from another box ie "the router" to the squid box. If I understood it wrong and didn't read properly I will re-read them and see in what I am wrong. Squid doesn't like to act as intercept proxy and to have the destination ip and port as itself ie: Client ip is 192.168.0.30 Squid ip is 192.168.1.40 Router sits at 192.168.0.254 Router does DNAT form 192.168.0.0/24 dst port 80 to squid ip:port ie 192.168.1.30:3129 Am I missing something about this wrong picture? Thanks, Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, July 21, 2017 17:15 To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-dev@lists.squid-cache.org Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles? On 22/07/17 01:54, Eliezer Croitoru wrote: > It's not the MASQARADE that is bad > It's the DNAT rule which removes the original destination ip and port. > I fail to see how NAT behaving as NAT always has done makes those articles *about NAT features* "aren't up-to-date and are misleading admins" Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] What should we do about these *wrong* wiki articles?
On 22/07/17 01:54, Eliezer Croitoru wrote: It's not the MASQARADE that is bad It's the DNAT rule which removes the original destination ip and port. I fail to see how NAT behaving as NAT always has done makes those articles *about NAT features* "aren't up-to-date and are misleading admins" Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] What should we do about these *wrong* wiki articles?
It's not the MASQARADE that is bad It's the DNAT rule which removes the original destination ip and port. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, July 21, 2017 15:42 To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-dev@lists.squid-cache.org Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles? On 21/07/17 21:17, Eliezer Croitoru wrote: > Hey List, > > I have seen that these articles aren't up-to-date and are misleading admins. > The first step to my opinion would be to add a warning at the top of the > articles that these are obsolete and should not be used. > Then fix the article content and redirect toward PBR\FBF\Other routing to > the squid box example and eventually removing these examples from the wiki. > > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28 > masquerade%29 > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight > =%28masquerade%29 > > What do you think? Whats wrong with MASQUERADE ? AFAIK it is still the best way to have the OS automatically assign outgoing IPs in the presence of NAT - an operation which the default configuration of Squid assumes to be happening. If the admin knows sufficiently about iptables/netfilter to specifically setup something other than MASQUERADE properly they already know not to enter that line. NP: the mention of IPv6 not being supported is wrong nowdays. That could be replaced by a note specifically for old kernel versions. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] What should we do about these *wrong* wiki articles?
On 21/07/17 21:17, Eliezer Croitoru wrote: Hey List, I have seen that these articles aren't up-to-date and are misleading admins. The first step to my opinion would be to add a warning at the top of the articles that these are obsolete and should not be used. Then fix the article content and redirect toward PBR\FBF\Other routing to the squid box example and eventually removing these examples from the wiki. http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28 masquerade%29 http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight =%28masquerade%29 What do you think? Whats wrong with MASQUERADE ? AFAIK it is still the best way to have the OS automatically assign outgoing IPs in the presence of NAT - an operation which the default configuration of Squid assumes to be happening. If the admin knows sufficiently about iptables/netfilter to specifically setup something other than MASQUERADE properly they already know not to enter that line. NP: the mention of IPv6 not being supported is wrong nowdays. That could be replaced by a note specifically for old kernel versions. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] What should we do about these *wrong* wiki articles?
Everyone's invited to improve the contents in any way they see reasonable. Please, just go ahead :) On Fri, Jul 21, 2017 at 10:17 AM, Eliezer Croitoruwrote: > Hey List, > > I have seen that these articles aren't up-to-date and are misleading admins. > The first step to my opinion would be to add a warning at the top of the > articles that these are obsolete and should not be used. > Then fix the article content and redirect toward PBR\FBF\Other routing to > the squid box example and eventually removing these examples from the wiki. > > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28 > masquerade%29 > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight > =%28masquerade%29 > > What do you think? > > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > > ___ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev