|
So, I just tried that, and this time it actually sent the request to my
Squid server, but I get a bad TCP checksum message, and then everything
stops. Keep in mind, this is run on the squid server (172.16.46.50),
and my client IP is 172.16.45.98: [EMAIL PROTECTED]:/usr/local/squid/logs# tcpdump -npi em0 -vvvs0 port 6060 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:06:40.520688 IP (tos 0x0, ttl 127, id 49965, offset 0, flags [DF], length: 48) 172.16.45.198.4859 > 172.16.46.50.6060: S [tcp sum ok] 3977229192:3977229192(0) win 64240 <mss 1460,nop,nop,sackOK> 17:06:40.520805 IP (tos 0x0, ttl 64, id 29539, offset 0, flags [DF], length: 48) 172.16.46.50.6060 > 172.16.45.198.4859: S [bad tcp cksum b43b (->4898)!] 1472095071:1472095071(0) ack 3977229193 win 65535 <mss 1460,nop,nop,sackOK> 17:06:40.521543 IP (tos 0x0, ttl 127, id 49966, offset 0, flags [DF], length: 40) 172.16.45.198.4859 > 172.16.46.50.6060: . [tcp sum ok] 1:1(0) ack 1 win 64240 17:06:40.521829 IP (tos 0x0, ttl 127, id 49967, offset 0, flags [DF], length: 588) 172.16.45.198.4859 > 172.16.46.50.6060: P [tcp sum ok] 1:549(548) ack 1 win 64240 17:06:40.613734 IP (tos 0x0, ttl 64, id 29547, offset 0, flags [DF], length: 40) 172.16.46.50.6060 > 172.16.45.198.4859: . [bad tcp cksum b433 (->7338)!] 1:1(0) ack 549 win 65535 I was also going to try and run a tcpdump on the firewall, but it doesn't seem to work. No packets show up, and when I press ctrl+c, it won't exit. I have to reboot it in order to get back to the shell. BTW, is SSH broken in 0.89.2? I can't seem to SSH in to it. -Kyle Scott Ullrich wrote: Maybe this screen shot will help: http://www.pfsense.com/screens/redirect_lan_to_another_mail_server.PNGScott On 10/26/05, Kyle Mott <[EMAIL PROTECTED]> wrote:Is there a way to set this up in pfSense though? I'm a bit confused as to what my rules need to be (my first thought is LAN Subnet 80/TCP => DMZ Host:6060 via port forward). Is that correct? -Kyle Gary Buckmaster wrote: I think the confusion here stems from where squid lives on the network. If you run squid on your firewall, then a simple redirect rule can be used to redirect LAN->WAN http traffic up to the port squid is listening on. If, however, you are running squid on a separate machine somewhere on your network (I believe the OP is running his squid box in the DMZ) then you can (and should) have your firewall do the work of redirecting traffic to the squid box. Squid, in this scenario, acts as a second gateway for the network but only for squid-relevant traffic. I hope this clarifies things. -Gary -----Original Message----- From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 26, 2005 9:24 AM To: [email protected] Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? Hi! Gary, maybe I do not understand perfectly your point of view, because I used Squid mainly under Linux. I understand we are speaking about using Squid as lan->wan web cache; the only thing I cannot understand is why, in your opinion, transproxy could not work simply by redirecting web traffic (instead of using route-to). In linux this is the only possible way of doing this (at least, without using iproute and tc), so I always configured my squid as transproxy, and used the iptables redirection. Anyway, I understand you are speaking about a totally different way of doing it (and in my opinion, both the ways can work.), so I am very happy to learn smthg new! On 10/26/05, Gary Buckmaster <[EMAIL PROTECTED]> wrote: Because of the way squid works, a squid box should be treated as a second gateway, in this case for http-based traffic only. As a result, using a route-to (or in Cisco parlance, policy-based route) is the solution. To avoid confusion, this is for outbound (LAN->WAN) traffic for the purposes of web caching and content filtering. There are perfectly valid reasons for using squid as an http accelerator sitting in front of web servers, which may have been what confused Tomasso. -Gary -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 26, 2005 8:48 AM To: [email protected] Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? On 10/26/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: Maybe I did not undestand well, but redirecting http traffic to a host located in DMZ is not a policy-based routing... In my opinion it is a simple redirect for 80/tcp to a particular host. Obviously, here the host is in DMZ. Sorry if I understood wrong.. Depends on if you use port forwarding (rdr) to achieve the goal or treat the squid box as another gateway and use 'route-to' for port 80 traffic. I suspect the latter is what Gary was talking about and is an interesting concept. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] |
