RE: [SQU] fighting with parent cache and firewall

From: Jim Selph <jselph@dont-contact.us>
Date: Thu, 14 Sep 2000 09:23:27 -0400

Miroslav,
If your running the Parent proxy on a disparate machine and the firewall
elsewhere you will need to allow for the ack bit, without knowing your
current schema I was assuming this would fit your needs. When packets are
coming thru a kernal filter such as IPchains the input, output and forward
need to be consisdered. The rule listed below only checks the ack bit on the
inbound transmission so you are correct in that aspect. Both rules I listed
below are for TCP only (input, output) you can do something very similiar
with the UDP as well. As far as the parent proxy someone else on the list
will have to field that question as I am not strong in those areas.
James

>Thank you
>I have no problem with clients. The prob is with parent proxy - where can I
>find description of cache-to-cache communication? I thought I only need
>allow incoming connections on 3130 with -y flag from it. Am I wrong?

>Miroslav

> -----Original Message-----
> From: Jim Selph [mailto:jselph@icanon.com]
> Sent: Wednesday, September 13, 2000 5:58 PM
> To: squid-users@ircache.net
> Subject: [SQU] fighting with parent cache and firewall
>
>
> Miroslav,
> Try this
> #check ack bit on input if not set then dropped by default rule
> /sbin/ipchains -A input -i eth0 -p tcp ! -y -s $ANY 3128 -d $YOU
> $UNPRIVPORT -j ACCEPT
> /sbin/ipchains -A output -i eth0 -p tcp -s $YOU $UNPRIVPORT
> -d $ANY 3128 -j
> ACCEPT
>
> YOU = your IP
> UNPRIVPORT = a range of ports you find acceptable ie 1024:30000
> ANY = an IP address of you choice could be 0.0.0.0/0
> eth0 or eth1 use your interface to the outside here
>
> hope this helps
>
> James
>
>
> >Hi!
> >Added
>
> >/sbin/ipchains -A input -p UDP --dport 3130 -s <parent ip>
> -j ACCEPT #let
> >parent connect using ICP
> >/sbin/ipchains -A input -p TCP --dport 3128 -s <parent ip>
> -j ACCEPT #let
> >parent connect using http
>
> >but still have probs communicating with parent
>
> >Any ideas please?
>
> >Thx
>
> >Miroslav
>
>
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

James Selph
ICANON Associates, Inc.
610.313.1850

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Sep 14 2000 - 07:27:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:18 MST