Re: Trans Proxy on IRIX

From: Mike Batchelor <mbatchelor@dont-contact.us>
Date: Tue, 25 May 1999 10:58:36 -0700

I haven't tried it yet with squid (I didn't build or configure it to work
transparently).  But the ipfilterd.conf statements used by Gauntlet 3.2 on
Irix to implement transparency are like this:

grab -i ef0 (src&0xFFFFFF00)=192.168.1.0

You list one line similar to this for each physical interface you want to
make transparent, and you list each network with its mask to tell ipfilterd
for what clients to become transparent.  The grab rules come almost last in
the file, after whatever other filters you have to allow routed traffic,
reject traffic before hitting the grab rules, whatever - but before the
final "reject (src&0)=0" statement.

So with 3 subnets, 2 reachable over ef0, and one over ef1, you'd have
something like this:

grab -i ef0 (src&0xFFFFFF00)=192.168.1.0
grab -i ef0 (src&0xFFFFF000)=10.0.48.0
grab -i ef1 (src&0xFFFFFF00)=207.99.24.0
reject (src&0)=0

You can also do it the quick and dirty way:

grab (src&0)=0

But that's not too secure, and obviates the need for the final reject. :) 
But if it's the only line in ipfilterd.conf, it will do the trick all by
itself.  Use it for testing.

You will also want to increase the number of kernel-cached ipfilter
verdicts.  This can be done by editing /var/sysgen/master.d/ipfilter, and
increasing the default "#define NUMIPKFLT 32" and gen a new unix. 128 seems
to be a good value - you don't want it too large, or the kernel will keep a
big chunk of memory it has to search through for every packet.  Too low, and
you waste a lot of time switching context in the kernel to consult
ipfilterd.  You may also want to toggle with systune, under net_ip, the
variable ipfilterd_inactive_behavior. The default causes all kernel
filtering to stop if ipfilterd dies, but changing it to zero allows the
kernel to continue using its cached verdicts, which may be necessary if you
have to restart ipfilterd from a network login.  This is also the area where
you turn off or on ipforwarding.

-----Original Message-----
From: mbailey@journey.net <mbailey@journey.net>
To: mbailey@journey.net <mbailey@journey.net>
Cc: squid-users@ircache.net <squid-users@ircache.net>
Date: Monday, May 24, 1999 6:18 PM
Subject: Trans Proxy on IRIX

>I am trying to do a trans proxy on IRIX 6.5 and using a Cisco router for
>redirects. Would someone please help me with what I need to do for squid
>to make if work correctly. Maybe a sample ipfilterd.conf config for IRIX..
>
>I am drawing a total loss and the documentation is quite poor on this
>issue..
>
>Thanks again for any help..
>
>--Matt
>
>------------------------------------------------------------------------
>Matthew S. Bailey, President            Journey Communications, Inc.
>mbailey@journey.net                     PO Box 2003
>(517) 779-2400                          Mt. Pleasant, MI 48858
>
>Inexpensive Wholesale Services for Michigan -- michix.com
>------------------------------------------------------------------------
>
Received on Tue May 25 1999 - 11:51:16 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:25 MST