Re: [SQU] Layer 4 switching and IPChains

Ken Kirchner wrote:
>
> On Wed, 23 Aug 2000, Joe Cooper wrote:
>
> > Hi Ken,
> >
> > Quite simple...Assuming your squid box is doing the port redirect
> > internally, and is acting as a gateway, and ip_forward is turned on, you
> > can simply put an ACCEPT rule before the REDIRECT rule in your ipchains
> > list. If the squid box is not doing the 80 -> 3128 REDIRECT then there
> > is no easy way I know of to do this,
>
> I'll have to check, but Im pretty sure our squid's are set up for port 80
> in squid.conf (http_port 80). Are you recommending that I instead set my
> squid to port 3128 and use IPChains to redirect 80 to 3128? And if so,
> why? What is the advantage to this? Either way, would not an ACCEPT rule
> work at the beginning of the chain?

Why? For this very reason, of course! ;-) If there is no redirection,
then the port 80 traffic will always hit Squid. With the redirection
it's possible to skip over it for some packets. Without it, Squid just
sits there sucking up everything on port 80. (And it's not an option to
redirect that traffic to another port...because then what? The origin
web server wants the traffic on 80 and doesn't listen anywhere else.)

I'm sure there are other ways to achieve this within the Squid box
(Linux has all sorts of nifty packet tweaking tools...no telling what
the full sum of capability is), but that's the one I've seen work.

Besides, why worry over it? The CPU drain from redirection is almost
unmeasurably small. Really, I've done benchmarks and found that the
difference between a Squid acting transparently via IPChains redirection
and a Squid acting as a traditional proxy was simply to small to have
any statistical significance (i.e. <1%...that's right, less than one
percent).

> aside from doing it in the L4
> > switch (why can't you do it there anyway, they're built for just such
> > things?).
>
> Like I said, this stupid switch only allows 1 ACL, and we are using that
> one for a porn filter at the moment. At least the darn thing load
> balances across our two squids, so thats nice.

Oh, I missed that bit. What brand switch is it? And is it common for
L4 switches to be brain damaged? ;-) I'm just joking of course, L4
switches are very nice for balancing.
 
> Thanks for the reply Joe. I will muse over this some more with your
> recommendations.

I think it is just what you're after. I'm sure someone here can correct
me if I'm wrong.

Good luck.
                                  --
                     Joe Cooper <joe@swelltech.com>
                 Affordable Web Caching Proxy Appliances
                        http://www.swelltech.com

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html