Re: [squid-users] squid proxy in a firewall Environment from Dr. Michael Weller on 2001-07-09 (squid-users)

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Mon, 9 Jul 2001 14:40:16 +0200 (MESZ)

On Mon, 9 Jul 2001, Larsson, Carl wrote:

> Hi!
>
> I have installed a squid proxy server in my network and can't seem to get it
> to work. The server is installed on between to LAN's and the user is on a
> third. I have opened the http port in my firewall to the proxy server but
> nothing seems to happened on the squid server.
> I have also added an acl in the squid.conf file for the user LAN.
>
> I works to access Internet from the squid server locally and to use it form
> the same LAN as it is installed. But the purpose if this server is to have
> it behind a firewall to increase the security of the user LAN.
>
> This is a small map of the environment.
>
> Internet -> Lan1 ->Squid server -> Lan2 ->Firewall -> User LAN
>
> I have ensured in the Firewalls log that the signals goes threw to the squid
> server.
>
> Does anyone have any ideas or hints to give me?

Hmm, difficult. Can you ping or telnet or etc the squid server from
the User LAN (provided the firewall is setup to allow that). Actually
for debugging I'd suggest you setup the firewall to a pass-through mode,
then add rules to locate the problem.

What you describe, looks to me like two possible causes:

a) The clients in the user lan are configured wrong and don't try to use
the proxy at all.

b) Also you think it is, the firewall is configured wrong and doesn't let
pass the connection (at least not as you'd need it).

If a) and b) are checked (like you say), maybe:

c) How does the firewall deal with the User lan connections? Does it do
NAT/masquerading for them (which isn't strictly needed in your setup),
and does it do that right?

   Or, if it doesn't do NAT/masquerading, you are well aware that you'd
   need a TCP route back to the user lan through the firewall on the squid
   server, are you? Maybe this is the most likely cause actually.

Connection attempts would remain in an embryonic state and not
be signalled to squid in this case.

Michael.

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.

Received on Mon Jul 09 2001 - 06:40:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:03 MST