Re: Transparent Linux Squid Firewall Rules.

From: Henrik Nordstrom <>
Date: Wed, 12 Aug 1998 23:52:44 +0200

Chris Keladis wrote:

> One thing that is still not clear to me is in the second line of the
> afformentioned rules. Why does it check the, source IP address to
> "pass-thru" requests on port 80, shouldn't it be a -D switch to check based

> ipfwadm -I -a accept -W lo
> ipfwadm -I -a accept -S test-proxy -W eth0
> ipfwadm -I -a accept -D 0/0 80 -P tcp -r 3128 -W eth0

Right.. I didn't notice that -S there.. this line defenitely does not do
what I thought it did, but it is equally useful for terminating loops.
What the line does is to prevent loops if a routing loop should occur or
if Squid addresses itself.

There are some minor differences between using -S or -D here. -S
terminates a wider range of possible loops, but if you have Squid
patched to terminate loops then using -D shows a nice error message in
squid.out if a routing error occurs that causes squid generated traffic
to be redirected to Squid again.

If squid is not patched:
  ipfwadm -I -a accept -b -S test-proxy -W eth0
If squid is patched to terminate loops:
  ipfwadm -I -a accept -D test-proxy -W eth0

The first rule (-W lo) is redundant in a "default accept" configuration,
and can be removed.

Henrik Nordström
Sparetime Squid Hacker
Received on Wed Aug 12 1998 - 16:33:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:30 MST