Re: squid.conf (udp_incoming/outgoing_address)

From: Matthew Petach <mattp@dont-contact.us>
Date: Sun, 1 Mar 1998 02:53:21 -0800 (PST)

Recently, Rodney van den Oever talked about "Re: squid.conf (udp_incoming/outgoing_address)", and said
>
> > > > Hm. Can the tcp_incoming_address be set to 0.0.0.0
> > > > to have Squid listen for incoming connections sent
> > > > to ANY ip address on port 80 when running in
> > > > acceleration mode, to act as a transparent
> > > > proxy without needing the ip firewall/NAT
> > > > address translation portion?
> > >
> > > No. Binding to 0.0.0.0 is the default, listen on all available
> > > interfaces.
> > Hm. All *available* interfaces. What about running the NIC
> > in promiscuous mode, and simply having squid listen for ANY
> > inbound packet destined for whatever port the conf file specifies?
> > That way, you can remove the requirement for the ipfwadm, etc.
>
> You don't need to capture all layer 2 (MAC-level) traffic, since traffic is
> already directed to one of your interfaces. A transparent proxy needs to be
> in your routing path, right?

Not necessarily.

   USERS ----- redirection hardware ------ Internet
                 |
                 |-----Squid

in this case, the only packets destined down the layer-2 line
for port 80 will be those that Squid should intercept. No
rewriting or forwarding needs to be done.
 
> Only problem is, that instead of forwarding a packet to another host, the
> packet should be forwarded to a local process. This would require a patch to
> the kernel routing code. Well, if you are patching the kernel anyway, why
> not add filtering capabilities?

That's exactly what I'm aiming to avoid. If the local process can
already listen for any traffic destined for port 80, no modifications
to the kernel are necessary, and you've suddenly opened up a much
larger target audience for the software. Trying to get ipfwadm to
work on Solaris isn't a trivial matter; getting Squid to work is.
 
> Seems to me you would end up with something looking very much like
> 'ipfwadm'!

*sigh* Except that ipfwadm is unique to each platform. I'm aiming
for a platform independent, kernel-structures independent solution
for those using redirection hardware already.
 
> Rodney van den Oever / roever@nse.simac.nl / +31 71 3670838
> Stguchi@aol.com wrote:
> > do u have the bombing program ? if so please e-mail it to me
> What's your IP address, I'll send it to you.
> Joe

Matt

-- 
InterNex Information Services   |           Matthew Petach {MP59}
Senior Network Engineer         |           mpetach@internex.net
2306 Walsh Avenue               |           Tel: (408) 327-2211
Santa Clara, CA  95051          |           Fax: (408) 496-5484
Received on Sun Mar 01 1998 - 03:02:45 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:07 MST