Re: [squid-users] WCCP, Squid, and that darn PIX

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 15 Jun 2001 08:24:49 +0200

Joe Cooper wrote:
>
> Oh, I thought his proxy was on the inside of the firewall...
>
> And I thought he mentioned that the outgoing requests were "spoofed"
> with the client's IP, but now looking back over the post, I see that the
> explanation does put the proxy outside the firewall...

I only commented on the statement that Squid does not do IP spoofing in
transparent proxy mode. It does of the origin server IP. You are however
entirely correct in that Squid does not spoof the client IP.

Exactly what triggers the spoofing detection rule in this case is not
very obvious. WCCP redirection should not unless the firewall has
support for inspecting WCCP GRE packets, and acts on the WCCP GRE
payload and not the WCCP GRE packet themselves.

However, sending WCCP GRE redirected packets from a router on the
outside to a proxy on the inside should not be allowed by the firewall
ruleset unless you first explicitly enable it somehow by opening a big
fat hole in the firewall, and if done the other way around (redirection
on the inside to a proxy on the outside) the firewall should not allow
client return traffic in because there is no TCP session established
yet.. so it is best to run the proxy on the same side of the firewall as
you do the redirection. From a security point of view prefarably on the
inside of the firewall as you may want to have some protection of your
proxy server from external attacks.

The origin server spoofing of a transparent proxy should normally not
trigger spoofing detection either, as this is usually done without
knowledge of the firewall:

- If the proxy is outside the firewall then it is no different than an
asymetric route (different uplink and downlink routes).

- If the proxy is inside then the firewall should not be able to even
smell that there is spoofing going on. But it might if you by some
strange reason route client return traffic via the firewall.

If it is detected when the proxy is outside the firewall it might be the
case that the firewall has a rule verifying MAC level routing in a weak
attempt in broadening the spoofing detection to detect attacks on the
same ethernet segment spoofing as some external service (i.e. verifying
that the source MAC matches the MAC where return packets would be
routed). However, this is a quite weak check as the spoofer may just as
well spoof the MAC, and it also is incompatible with asymetric routing.

--
Henrik Nordstrom
Squid Hacker
Received on Fri Jun 15 2001 - 00:25:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:45 MST