RE: Transparent Linux Squid Firewall Rules.

From: Chris Keladis <chrisk@dont-contact.us>
Date: Wed, 12 Aug 1998 10:14:54 +1000

Hello Henrik,

Thanks for the reply.. The rules are becoming clearer now..

One thing that is still not clear to me is in the second line of the
afformentioned rules. Why does it check the, source IP address to
"pass-thru" requests on port 80, shouldn't it be a -D switch to check based
on the destination?

A quick test making the rule to check Destination didn't go very well, but I
am at a loss as to why, exactly?

Thanks again,

Chris.

-----Original Message-----
From: hno@hem.passagen.se [mailto:hno@hem.passagen.se]
Sent: Tuesday, August 11, 1998 11:29 PM
To: Chris Keladis
Cc: squid-users@ircache.net
Subject: Re: Transparent Linux Squid Firewall Rules.

Chris Keladis wrote:

> ipfwadm -I -a accept -W lo
> ipfwadm -I -a accept -S test-proxy -W eth0
> ipfwadm -I -a accept -D 0/0 80 -P tcp -r 3128 -W eth0
>
> Now this works, but aren't the first two lines excess, in an
> "allow all policy" type firewall setup?

The first two lines says that loopback and traffic destinated for this
machine should not be redirected to Squid.

These ipfwadm rules are not blocks. They are simply a routing decision
that traffic destinated to the local machine should be handled as such,
and not redirected to Squid.

These ipfwadm rules
* Prevents loops
* Allows one to run a local http server on port 80 for cachemgr,
statistics, proxy PAC files and other usefull things.

1.2beta22 and later has built-in loop prevention (as documented in
ChangeLog).

1.1.X loop prevention patch is available from
http://hem.passagen.se/hno/squid/

---
Henrik Nordström
Received on Tue Aug 11 1998 - 17:15:50 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:29 MST