On Fri, Oct 29, 1999 at 06:02:29PM +0200, Barry van Dijk wrote:
> Hi,
>
> At first it seemed like everything worked ok. Log file was growing
> as I expected. Everybody could browse anywhere through the proxy,
> so far so good.
>
> But then I saw in my logfile that requests from outside where denied.
>
>
> 941209329.854 76 195.241.189.246 TCP_DENIED/403 986 GET
> >http://www.binnenlloyd.nl/ - NONE/- -
>
> IP address is from outside. domain is one of my virtual hosts (Apache)
>
> How can someone be stopped by my Proxy server?
It means that you're sending all www requests from outside your domain
to your proxy server.
> This is what I used on my Cisco 2610 router:
>
> access-list 110 deny tcp host 194.165.71.16 any eq www
This keeps outgoing web requests from your proxy server from being
redirected, which is good.
> access-list 110 permit tcp any any eq www
This matches all other web traffic through your router, either incoming
or outgoing.
> route-map proxy-redirect permit 10
> match ip address 110
And this redirects all of it to your proxy server (which I assume
you've configured to deny all proxy connections not from your domain,
though you don't show that here.)
If you don't want incoming traffic to be redirected, you need to
modify that access list, to add some deny lines for anything not on
your network, or explicitly change the permit line to clients on your
network. I'd recommend the latter, in which case you'd change the
"permit" line above to read more like:
access-list 110 permit tcp xxx.yyy.zzz.www mmm.mmm.mmm.mmm any eq www
where xxx.yyy.zzz.www and mmm.mmm.mmm.mmm are the IP address and
netmask for your internal network. If you have multiple internal
networks (IP address blocks), put multiple lines like that, one for
each.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net
"An absolute monarch would be absolutely wise and good.
But no man is strong enough to have no interest.
Therefore the best king would be Pure Chance.
It is Pure Chance that rules the Universe;
therefore, and only therefore, life is good." - AC
Received on Fri Oct 29 1999 - 12:43:16 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:49:07 MST