RE: [SQU] identd question

From: Robert Collins <robert.collins@dont-contact.us>
Date: Thu, 15 Feb 2001 11:35:37 +1100

Brad, please keep replies to the list (while they stay on topic...)

> -----Original Message-----
> From: Brad Waite [mailto:brad@ssbaptist.net]
> Sent: Thursday, 15 February 2001 11:36 AM
> To: Robert Collins
> Subject: Re: [SQU] identd question
>
>
> Roberts,
>
> Thanks for the info. I understand what you're saying and
> thought that was what
> the FAQ was talking about. Until, that is, I tried it on one
> of my Win95 boxes
> with a freeware identd, which reported the user just fine,
> even though I hitting
> identd from an entirely different machine. I guess I got
> what I paid for.
> Turns out my other FreeBSD boxen do the "right thing" and
> give an error when I
> give the two ports.
>
> Although that does make me curious why squid doesn't get any
> info from the win95
> boxes. Does it not even try when its in interception mode?

I believe that is the case. If it did try, all your freeBSD boxen would
report cracking attempts on every request.

I suggest using a .pac file for autoconfiguration on your windows boxen,
and on mozilla/netscape on unix. For the remaining browser (lynx & links
on unix?) you can configure the whole machine usually via settings in
/etc/ . So the overhead will not be huge. There are sites with thousands
of machines configured with such techniques with very few problems - 50
will be no effort at all.

Rob
 
> Robert Collins wrote:
> >
> > Intercepting proxy is the correct term for what is often
> called transparent proxy. Transparent proxy is defined in rfc
> 2616 and is
> > short hand for "semantically transparent" - doesn't change
> the meaning of the http protoocl exchanges.
> >
> > Ident looks up the owner of a tcp connection on your client
> machines by a local port/remote port pair.
> >
> > ie if machine A has a connection from port 32012 to machine
> B port 80, then machine B can ask machine A for the username belonging
> > ot (32012,80). No one else can ask this, because that would
> be a significant security hole.
> >
> > When you use a intercepting proxy C , the proxy is not
> listed in machine A's list of connections - machine B is.
> Thus machine B will
> > never answer questions from proxy C.
> >
> > Ths issue has nothing todo with bound ports on the proxy
> server, rather the violation of TCP/IP and HTTP protocol rules that is
> > occuring.
> >
> > Rob
> >
> > ----- Original Message -----
> > From: "Brad Waite" <brad@ssbaptist.net>
> > To: <squid-users@ircache.net>
> > Sent: Thursday, February 15, 2001 10:00 AM
> > Subject: [SQU] identd question
> >
> > > Hi all,
> > >
> > > I'm running squid and squidGuard on a FreeBSD firewall in
> transparent proxy
> > > mode. While ident lookups work when I'm running in
> non-xparent, they don't work
> > > otherwise. The FAQ (12.39 Why doesn't Squid make ident
> lookups in interception
> > > mode?) talks about interception mode, and I'm guessing
> it's referring to a
> > > transparent proxy. Am I correct in assuming this?
> > >
> > > If so, I'm not really sure why squid still can't do the
> identd lookups.
> > > Couldn't one define (in the conf file) the local port to
> bind to and a flag for
> > > transparent mode? Yeah it seems like a hack, but I'd
> rather not have to change
> > > 50 machine's proxy settings (and have to maintain 'em).
> > >
> > > Thanks,
> > >
> > > --
> > > Brad Waite brad@ssbaptist.net
> > > Media Director - South Sheridan Baptist Church
> > >
> > > --
> > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > >
> > >
>
> --
> Brad Waite brad@ssbaptist.net
> Media Director - South Sheridan Baptist Church
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Feb 14 2001 - 17:44:06 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:01 MST