It's not the MASQARADE that is bad.... It's the DNAT rule which removes the original destination ip and port.
Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: [email protected] -----Original Message----- From: Amos Jeffries [mailto:[email protected]] Sent: Friday, July 21, 2017 15:42 To: Eliezer Croitoru <[email protected]>; [email protected] Subject: Re: [squid-dev] What should we do about these *wrong* wiki articles? On 21/07/17 21:17, Eliezer Croitoru wrote: > Hey List, > > I have seen that these articles aren't up-to-date and are misleading admins. > The first step to my opinion would be to add a warning at the top of the > articles that these are obsolete and should not be used. > Then fix the article content and redirect toward PBR\FBF\Other routing to > the squid box example and eventually removing these examples from the wiki. > > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28 > masquerade%29 > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight > =%28masquerade%29 > > What do you think? Whats wrong with MASQUERADE ? AFAIK it is still the best way to have the OS automatically assign outgoing IPs in the presence of NAT - an operation which the default configuration of Squid assumes to be happening. If the admin knows sufficiently about iptables/netfilter to specifically setup something other than MASQUERADE properly they already know not to enter that line. NP: the mention of IPv6 not being supported is wrong nowdays. That could be replaced by a note specifically for old kernel versions. Amos _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
