Re: icp and telnet

From: Steve Devine <cache@dont-contact.us>
Date: Wed, 03 Mar 1999 13:17:29 -0500

At 04:53 AM 3/4/99 +1100, you wrote:
>Steve Devine wrote:
>>
>> >Date: Wed, 03 Mar 1999 12:00:42 -0500
>> >To: Richard Stagg <squid@bae.co.uk>
>> >From: Steve Devine <cache@jps.k12.mi.us>
>> >Subject: Re: icp and telnet
>> >In-Reply-To: <Pine.LNX.3.96.990303162530.239F-100000@nadnl5.net.bae.co.uk>
>> >References: <3.0.6.32.19990303105019.007db670@jps.k12.mi.us>
>> >
>> >At 04:27 PM 3/3/99 +0000, you wrote:
>> >>On Wed, 3 Mar 1999, Steve Devine wrote:
>> >>
>> >>> I am struggling to get icp to work on squid 1.22 . Can someone tell
if a
>> >>> correctly configured machine will accept telnet requests on the icp
port?
>> >>> I am tring to use telnet as a troubleshooting tool. At this point my
squid
>> >>> refuses the connection when I type in "telnet mybox.com 3130" from
another
>> >>> unix workstation. Any help would be appreciated I have read the
archives
>> >>> and am running out of ideas. Thanks
>> >>
>> >>This isn't a good way to test; ICP uses UDP on port 3130; Telnet will try
>> >>to connect to 3130 using TCP. Hence you're not going to get a meaningful
>> >>result.
>> >>
>> >>The best way to test it is to use another Squid box with the proxy in
>> >>question configured as a sibling. Fire some requests at the spare box and
>> >>watch the logs on the system being tested.
>> >
>> >Thanks for the suggestion I have tried that but I get 'unable to open
>> source' messages.'
>> >Also both machine give out unable to forward messages most of the time.
>> When it
>> >does work I get broken images. These problems go away when i set icp port
>> tag to 0 of course this
>> >defeats icp. I believe my acl list may be the problem can anyone see
>> where I have gone wrong?
>> >I am inside a firewall and all proxys must forward to parent on other side
>> of firewall.
>> >
>> > acl jpshosts src 10.0.0.0/255.0.0.0
>> > acl all src 0.0.0.0/0.0.0.0
>> > http_access allow jpshosts
>> > http_access deny all
>> > icp_access allow jpshosts
>> > always_direct deny all
>> > acl local-servers dstdomain jps.k12.mi.us
>> > acl all src 0.0.0.0/0.0.0.0
>> > never_direct deny local-servers
>> > never_direct allow all
>
>If your proxy cannot route freely to the parent and vice-versa (that is,
>pass packets _without_ masquerading or network address translation
>taking place) then ICP isn't going to work for you, I believe. ICP is a
>'connectionless protocol' (which is why it's implemented with UDP), and
>without specific masquerading support for ICP (which I do not believe is
>available) at your firewall, ICP requests _may_ arrive at the parent,
>but responses probably cannot be returned through it.
>
>You really need a public address to source your ICP requests from, if
>you do not have one. As an alternative, I _think_ that TIS fwtk
>(firewall toolkit) has a UDP packet proxy that _may_ help. I don't
>recall the exact payload details of an ICP packet, so it might not work,
>still and all.

Just to be clear I am not using the parent as a icp peer.We use the parent
for content filtering only. These two squid servers work well behind the
firewall when they are only configured to the one peer (parent beyond the
firewall). I want the two squid boxes to be one anothers
siblings. Check each other for hits and if they dont find them go to the
parent. So I am tring to implement icp within a private network.

>D
>
>
Received on Wed Mar 03 1999 - 11:24:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:07 MST