On Wed, 15 Oct 2003, Daniel Barron wrote: > For various reasons I need to run squid transparently proxying but not on > the firewall.
Then you need to teach the firewall to route port 80 traffic to the Squid server without chaning the destination IP address, and your Squid server need to know to route all return traffic to the clients via the firewall (well.. depending on the firewall and how in redirects port 80 traffic) > To do this I have set the squid box as default route on the clients and > configured squid 2.5 to work transparently. The squid box's default route > is the firewall. Yes I know this is a bit odd but does have advantages > such as when the firewall is an appliance that can't have squid installed. This also works, but has drawbacks in that the Squid box becomes a single point of failure for all your client Internet traffic, not just browsing. > The problem is that the clients automagically reroute bypassing the squid > box and go directly to the firewall. Thus not being transparently proxied. You probably have not disabled sending of redirects in the TCP/IP stack of the Squid server. > I thought it might be icmp redirects so have switched it off in > /proc/sys/net/ipv4/conf/*/send_redirects > > but this made no difference. It should. There is no other mechanism whereby router clients can be told to use another router. Regards Henrik
