Re: [pfSense Support] Transparent Squid proxy in DMZ?

[Kyle Mott]

Is there a way to set this up in pfSense though? I'm a bit confused as to what my rules need to be (my first thought is LAN Subnet 80/TCP => DMZ Host:6060 via port forward). Is that correct? -Kyle Gary Buckmaster wrote: I think the confusion here stems from where squid lives on the network. If you run squid on your firewall, then a simple redirect rule can be used to redirect LAN->WAN http traffic up to the port squid is listening on. If, however, you are running squid on a separate machine somewhere on your network (I believe the OP is running his squid box in the DMZ) then you can (and should) have your firewall do the work of redirecting traffic to the squid box. Squid, in this scenario, acts as a second gateway for the network but only for squid-relevant traffic. I hope this clarifies things. -Gary -----Original Message----- From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 26, 2005 9:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? Hi! Gary, maybe I do not understand perfectly your point of view, because I used Squid mainly under Linux. I understand we are speaking about using Squid as lan->wan web cache; the only thing I cannot understand is why, in your opinion, transproxy could not work simply by redirecting web traffic (instead of using route-to). In linux this is the only possible way of doing this (at least, without using iproute and tc), so I always configured my squid as transproxy, and used the iptables redirection. Anyway, I understand you are speaking about a totally different way of doing it (and in my opinion, both the ways can work.), so I am very happy to learn smthg new! On 10/26/05, Gary Buckmaster <[EMAIL PROTECTED]> wrote: Because of the way squid works, a squid box should be treated as a second gateway, in this case for http-based traffic only. As a result, using a route-to (or in Cisco parlance, policy-based route) is the solution. To avoid confusion, this is for outbound (LAN->WAN) traffic for the purposes of web caching and content filtering. There are perfectly valid reasons for using squid as an http accelerator sitting in front of web servers, which may have been what confused Tomasso. -Gary -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 26, 2005 8:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? On 10/26/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: Maybe I did not undestand well, but redirecting http traffic to a host located in DMZ is not a policy-based routing... In my opinion it is a simple redirect for 80/tcp to a particular host. Obviously, here the host is in DMZ. Sorry if I understood wrong.. Depends on if you use port forwarding (rdr) to achieve the goal or treat the squid box as another gateway and use 'route-to' for port 80 traffic. I suspect the latter is what Gary was talking about and is an interesting concept. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]