Re: Transparent Proxy

From: Irfan Akber <>
Date: Fri, 16 Oct 1998 20:01:52 -0000

> Gentlemen,
> I have two Squid servers, both running Squid-2.0.PATCH2, one on a
> dedicated FreeBSD 2.2.6 machine, the other sibling on a Sparc20 (Solaris
> 2.6). I can't upgrade my Cisco AGS+ router to 11.1 (never could get the
> loaded, new, image to be saved to NVRAM) but hey, it's been working just
> fine for years now so I'm not too worried.
> <FAQ> 1. Getting the packets to your cache machine. If your proxy
> is already in the path of the packets (i.e. it is routing between your
> dialup users and the Internet) then you don't have to worry about this
> step.</FAQ>
> My dial-up users all use 3Com and Livingston Network Access Devices,
> have the ability to specify a default gateway. Am I correct in my
> assumption that I would simply need to change the default gateway to
> specify my Squid server?

No. Is the machine running Squid has both Interface for both the subnets in
order to be able to route between the two. If it is then that machine would
be the default gateway. But still you require a machanism to redirect web
trafic to the proxy server. That can be done using the Cisco Router. I dont
know how because I have not worked on Cisco, but the lines are there in the
FAQ. In order to do transparent proxy the web traffic has to be diverted to
the proxy port of your squid. simpily redirecting would not acieve

> If the above assumption is correct, this would mean all of my dial-up
> user's packets would be flowing through my FreeBSD Box, correct?

Yes if it has both interfaces and is setup to do IP forwarding. But that
would not serve the purpose.

> All I would want is to transparently proxy Web requests, no FTP (squid
> doesn't handle FTP PUTs and I don't really want to transparently proxy
> install Socks5, either). Would there be anything special I might need to
> setup in FreeBSD's /etc/rc.conf file as well? I noticed the FAQ doesn't
> mention anything about this (nor did ipfilter's home-page) but I want to
> safe than sorry. I'm specifically concerned about the line in FreeBSD's
> /etc/rc.conf 'gateway_enable'. Currently this variable is set to "NO"
> my initial assumptions are to set this to "YES", but since I can't find
> mention of it in the FAQ, I'm a little apprehensive. The rc.conf
> 'router_enable' is also set to "NO", too.

You need to redirect the web traffic and set up squid to do transparent
proxy so that the headers can be modified. How to setup squid to do
tansparent proxy is defined in the FAQ. I dont know the router part. Tell
me how you do it.

> <FAQ>Put these lines in /etc/ipnat.rules:
> # Redirect direct web traffic to local web server.
> rdr de0 port 80 -> port 80 tcp

This is if you have web server runnning on the local machine which is doing
IP forwarding and is a gateway between different nets.

> # Redirect everything else to squid on port 8080
> rdr de0 port 80 -> port 8080 tcp
> </FAQ>

These line forward the web traffic to the local machine which is also
running squid. Obviously you setup is different as you are running squid on
a seperate machine. I wonder why the writer thinks every service is running
on the same machine which is working as a router for different subnets. One
single machine just cant take such a load e.g 100 users on one net.
squid if their browser's are configured).
> Those lines above make little sense to me. What would be the
> configuration to only proxy port 80, and redirect everything else to my
> Cisco Router?

As explained earlier, the gateway between two or more nets will forward all
the traffic by default to the router only the web will redirected by the
router. In fact you dont even need a FreBSD router if you are implementing
this on the router. Tell me if you find a software solution.

> Many thanks in advance.
> George Ellenburg

Irfan Akber
Received on Fri Oct 16 1998 - 09:16:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:32 MST