Re: [squid-users] Transparent Proxy - Ethernet in promiscuous mode?

> You MUST route the packet to the interception host to ensure that the
> packet can terminate tere properly, and you MUST use TCP/IP interception
> on that host to redirect the traffic to the proxy application (else the
> host will simply route the packet back as it is not addressed to him).

Right, I agree, I was wondering if I have to do additional configuration at
a lower layer(ethernet) in addition to the TCP interception(using ipfw),
because there is no router in my network and hence no proper routing is
taking place.

> >From what you describe it sound like B is the router connecting your two
> networks (two hubs, one connecting A<->B, one connecting B<->C). In
> such
> case A can only reach C by routing the traffic via B. If so then
> everyting is set for playing with packet interception capabilities of B
> to have web traffic from A to C redirected to the proxy.

Please correct me if I am wrong - I was under the impression that A will use
a default gateway to send all its packets to, ie it does no routing at all,
simply sends out on the interface which leads to the gateway, which would
then do the routing. Since I have no gateway(router) in my n/w(atleast for
now), how would TCP/IP of A do the routing? Is it that A's routing tables
(does it have any??) are automatically (by default) set to do minimalistic
routing? I mean what if A had 2 interfaces, one going to B, another going to
another client m/c, say D? Then, I would HAVE to install a router at A; OR
when A does ARP to find C's MAC address, have B respond with it's own
MAC(proxy ARP)?? However, since my n/w is so simple, it will work without
above modifications..???
(What you say about promiscuous mode makes perfect sense to me)

Thanks,
Anjali

> Note: Promiscious mode is NOT related to routing.
>
> --
> Henrik Nordstrom
>
>
> Anjali Kulkarni wrote:
> >
> > Hi Henrik,
> > Thanks a lot for your reply. But suppose there is a simple set up where
> > there are only 3 m/cs on the n/w, without any connection to the
internet.
> > The m/c with squid proxy is in center(B), and it is connected by a hub,
one
> > on each side, to the other 2 m/cs(A &B).
> > So, A--(hub)--B--(hub)--C
> > If a packet at A, is addressed to C(IP address), then it will be seen
by B,
> > but will terminate there only when (I guess) , either:-
> > I set up a router at A, routing all packets to (via) B, or
> > I set A's IP forwarding rules to forward all its packets to B??
> > Is that right or is there any other way? I think the first way would
take a
> > lot of time and expertise, right?:)
> > Thanks,
> > Anjali
> >
> > ----- Original Message -----
> > From: Henrik Nordstrom <hno@hem.passagen.se>
> > To: Anjali Kulkarni <anjali@indranetworks.com>
> > Cc: <squid-users@squid-cache.org>
> > Sent: Friday, May 25, 2001 10:37 AM
> > Subject: Re: [squid-users] Transparent Proxy - Ethernet in promiscuous
mode?
> >
> > > The packets must be ROUTED via the intercepting host. If the host is
not
> > > in the direct path (i.e. a router in the path), then you must redirect
> > > the traffic at a close by router.
> > >
> > > It is not only the matter of seeing the packet, the packet must also
> > > terminate there.
> > >
> > > --
> > > Henrik Nordstrom
> > > Squid Hacker
> > >
> > > Anjali Kulkarni wrote:
> > > >
> > > > Hi,
> > > > I want to set up a transparent proxy on my m/c, on FreeBSD 4.0. I
have
> > > > read all the related documents and have one doubt, before I start.
Do
> > > > we need to set the ethernet in promiscuous mode to make sure that it
> > > > intercepts all packets that arrive at it's interface? IPFilter rules
> > > > in freeBSD will work in the IP layer ie check for IP address;
however,
> > > > unless the ethernet card is in promiscuous mode, or it uses ARP to
> > > > intercept packets not addressed to it's own IP address (by supplying
> > > > its own MAC address during ARP), I dont see how it will work?
> > > > Thanks,
> > > > Anjali
> > >
>
Received on Sat May 26 2001 - 04:09:19 MDT