Steve Devine wrote:
>
> >Date: Wed, 03 Mar 1999 12:00:42 -0500
> >To: Richard Stagg <[EMAIL PROTECTED]>
> >From: Steve Devine <[EMAIL PROTECTED]>
> >Subject: Re: icp and telnet
> >In-Reply-To: <[EMAIL PROTECTED]>
> >References: <[EMAIL PROTECTED]>
> >
> >At 04:27 PM 3/3/99 +0000, you wrote:
> >>On Wed, 3 Mar 1999, Steve Devine wrote:
> >>
> >>> I am struggling to get icp to work on squid 1.22 . Can someone tell if a
> >>> correctly configured machine will accept telnet requests on the icp port?
> >>> I am tring to use telnet as a troubleshooting tool. At this point my squid
> >>> refuses the connection when I type in "telnet mybox.com 3130" from another
> >>> unix workstation. Any help would be appreciated I have read the archives
> >>> and am running out of ideas. Thanks
> >>
> >>This isn't a good way to test; ICP uses UDP on port 3130; Telnet will try
> >>to connect to 3130 using TCP. Hence you're not going to get a meaningful
> >>result.
> >>
> >>The best way to test it is to use another Squid box with the proxy in
> >>question configured as a sibling. Fire some requests at the spare box and
> >>watch the logs on the system being tested.
> >
> >Thanks for the suggestion I have tried that but I get 'unable to open
> source' messages.'
> >Also both machine give out unable to forward messages most of the time.
> When it
> >does work I get broken images. These problems go away when i set icp port
> tag to 0 of course this
> >defeats icp. I believe my acl list may be the problem can anyone see
> where I have gone wrong?
> >I am inside a firewall and all proxys must forward to parent on other side
> of firewall.
> >
> > acl jpshosts src 10.0.0.0/255.0.0.0
> > acl all src 0.0.0.0/0.0.0.0
> > http_access allow jpshosts
> > http_access deny all
> > icp_access allow jpshosts
> > always_direct deny all
> > acl local-servers dstdomain jps.k12.mi.us
> > acl all src 0.0.0.0/0.0.0.0
> > never_direct deny local-servers
> > never_direct allow all
If your proxy cannot route freely to the parent and vice-versa (that is,
pass packets _without_ masquerading or network address translation
taking place) then ICP isn't going to work for you, I believe. ICP is a
'connectionless protocol' (which is why it's implemented with UDP), and
without specific masquerading support for ICP (which I do not believe is
available) at your firewall, ICP requests _may_ arrive at the parent,
but responses probably cannot be returned through it.
You really need a public address to source your ICP requests from, if
you do not have one. As an alternative, I _think_ that TIS fwtk
(firewall toolkit) has a UDP packet proxy that _may_ help. I don't
recall the exact payload details of an ICP packet, so it might not work,
still and all.
D
