Re: transparent-proxy

From: James R Grinter <>
Date: Thu, 11 Dec 1997 00:34:09 +0000

On Tue 9 Dec, 1997, John Taylor <> wrote:
>pursing my ipnat problems, could the switch also remap the dest IP
>address in each HTTP packet to the squid server's IP address? I could
>remove ipnat and the ip_fil package from the picture.

I'd prefer that it didn't.

Otherwise there's obviously no way at all that the receiving machine (let alone
Squid) can tell where the packet was originally going to and it could only use
the Host: header (see discussions ongoing on this list) if there was one.

(Incidentally, this reminds me of the way that the Alteon switch does its load
balancing. If only it didn't remap the addresses in the IP packet and just
fiddled the MAC address of the frame, you wouldn't need to use multiple IP
addresses to balance one IP address. Not my idea, it's what IBM do in their
Network Distributor software.)

The best setup IMHO for handling all inbound addresses is that used in the TIS
Gauntlet firewall, where they have the notion of 'absorbing' addresses and
acting as if the packet really did reach that IP address. It's what IP-filter
tries to do, but requires an ioctl() in the application code to pull off.
I believe the Linux ipfw has the same behaviour, and I know that the IRIX
filterd does (using 'grab', if anyone is wondering).

(incidentally, I expect your ip-filter problem is that the module hasn't loaded
correctly. When it loads, it creates the appropriate devices in /dev)
Received on Wed Dec 10 1997 - 16:58:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:54 MST