Re: ICP proxy for Firewall

From: <>
Date: Wed, 22 Oct 1997 11:56:33 +0200

Many thanks for all the replies on the ICP proxy issue.

> From:
> Sent: 21/10/97 13:48
>>From: Marc van Selm
>>Sent: 21 October 1997 08:31
>>At 06:50 PM 10/20/97 +0200, wrote:
>>This might be very useful but TIS told us UDP is not something they want
>>support. It is possible to set up a "UDP-tunnel" though the FW "but
>>who do this will get on the black list" (Quote from one of the tech's who

>>came to set up an initial evaluation system) The main problem (their main

>>problem) was that they couldn't keep a good Connection-state. (I think
>>should be possible but requires understanding of the Higher layer
>>completed with time-outs)

Yes, this matches the reply from TIS I've received in the meantime. I also
like the ideal of a UDP FW bypass for the ICP.

>[] The point with UDP is in fact that it is connectionless, i.e. there is
>connection to know the state of! There are programs that can do this
>but only to one specific host (although you could use different UDP ports
>the firewall to do different hosts). In practice, this isn't really the
>way to go.

Also the so called "plug-gateway" solution for different host seems to be

>>4) Have an internal proxy which takes care of the "routing"

>This sounds like the best approach to me. However I would have it the
>way round to what you imply, and have the real "big" proxy on the inside,

>and just a little squid on the outside to field the ICP. This little squid

>would be "default no-query". The reason is that the more traffic that
>through the firewall, the more stuff is parsed by the firewall software
>(http-gw?), and this has to be done for every request, even the cached
>So it is much quicker for the user if it is done this way round.
>Jonathan L.

I think this will be the way I'll take for our scenario here, although this
implies some extra cost for a second machine and we have then three points
failure (the two caches and the FW, through which all non local cached
requests will be passed). But the good thing: this will also take some load

form outr FW http-gw.
The question I have now is: will this external "routing" cache require to
be a
powerfull machine? Well, it will not do any caching (the internal big one
do this). But has to handle all outgoing http requests. So there will be
some squid and dnsserver daemons running. Will there be very high CPU load,
will a mid-range desktop workstation or PC be sufficient? (we have ~500
on our site). Any experiences?

Many thanks,

European Space Operations Centre
phone: (+49)-6151-90-2996
FAX: (+49)-6151-90-3503
Received on Wed Oct 22 1997 - 03:05:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:19 MST