Re: Extremely Transparent Proxy

From: Henrik Nordstrom <>
Date: Thu, 01 Jun 2000 00:32:31 +0200

Diegmueller, Jason (I.T. Dept) wrote:

> So is there any "clean" way to implement an almost INVISIBLE proxy server?
> Perhaps do bridging between the "outisde" and "inside" iterfaces, but still
> have the ability to hijack requests to TCP port 80 and deliver them to
> squid?
> Has anyone done anything like this before? If so, do share. If not, think
> I'm on the right path? Does this sound feasible?

Don't know if bridging and redirection can be combined in Linux, but I
think so. I have a wague memory of some old article combining ipfwadm
redirection and bridging..

I know for sure that you can intercept packets while using proxy-ARP
routing. I played around with proxy-ARP setups during firewall/proxy
development. Worked like a charm except that it must be set up both ways
or the machine behind the proxy will have trouble finding it's way out.
Bridging is easier and I would recommend first trying out if bridging
can be combined with redirection.

> I'd just like to implement a squid proxy WITHOUT having to redesign a lot
> of things (and in the process piss of the systems team). I considered doing
> a route-map on the Cat5505's RSM but when I was playing around with that
> yesterday load went through the roof (this is an awfully busy Catalyst).

Again, proxy-ARP or bridging will avoid that ;-).

Both also have the benefit of a trivial backout plan. If there is any
trouble shut down the proxy machine and connect the servers directly to
the LAN.

Henrik Nordstrom
Squid hacker
Received on Wed May 31 2000 - 16:59:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:44 MST