Re: [SQU] fighting with parent cache and firewall

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 14 Sep 2000 10:22:18 +0200

Peering relations utilize two protocols:

a) Normal HTTP, where the requests are forwarded just like how a normal
browser uses the proxy. This is a TCP connection to the proxy port.

b) Optionally ICP is used for probing the cache and availability in the
peering relations. ICP uses UDP traffic on port 3130<->3130. ICP is
completely optional and can be disabled, and for most parent
relationships I recommend to have it disabled for performance reasons.

--
Henrik Nordstrom
Squid hacker
Miroslav PRAGL wrote:
> 
> Thank you
> I have no problem with clients. The prob is with parent proxy - where can I
> find description of cache-to-cache communication? I thought I only need
> allow incoming connections on 3130 with -y flag from it. Am I wrong?
> 
> Miroslav
> 
> > -----Original Message-----
> > From: Jim Selph [mailto:jselph@icanon.com]
> > Sent: Wednesday, September 13, 2000 5:58 PM
> > To: squid-users@ircache.net
> > Subject: [SQU] fighting with parent cache and firewall
> >
> >
> > Miroslav,
> >       Try this
> > #check ack bit on input if not set then dropped by default rule
> > /sbin/ipchains -A input -i eth0 -p tcp ! -y -s $ANY 3128 -d $YOU
> > $UNPRIVPORT -j ACCEPT
> > /sbin/ipchains -A output -i eth0 -p tcp -s $YOU $UNPRIVPORT
> > -d $ANY 3128 -j
> > ACCEPT
> >
> > YOU = your IP
> > UNPRIVPORT = a range of ports you find acceptable ie 1024:30000
> > ANY = an IP address of you choice could be 0.0.0.0/0
> > eth0 or eth1 use your interface to the outside here
> >
> > hope this helps
> >
> > James
> >
> >
> > >Hi!
> > >Added
> >
> > >/sbin/ipchains -A input -p UDP --dport 3130 -s <parent ip>
> > -j ACCEPT #let
> > >parent connect using ICP
> > >/sbin/ipchains -A input -p TCP --dport 3128 -s <parent ip>
> > -j ACCEPT #let
> > >parent connect using http
> >
> > >but still have probs communicating with parent
> >
> > >Any ideas please?
> >
> > >Thx
> >
> > >Miroslav
> >
> >
> >
> > --
> > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> >
> >
> 
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Sep 14 2000 - 02:36:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:18 MST