RE: [squid-users] Squid / Firewall-1 question

Hi Marius,

Checkpoint fw-1 is a statefull packet inspection device, and as such, will not proxy your connection.
You could however, nat the proxy behind the common external interface of the FW-1 ( internet facing) and then remove the cache_peer rule as the squid
could then directly go and fetch the content instead of it asking the Firewall to proxy it like before. The FW-1 will then be configured to only allow
the squid to access the internet ( and maybe one or two other direct access users).

I also assume that the cache_peer rule was to force the squid to use the gauntlet as the peer proxy ?

I hope this helps. Please feel free to ask further questions regarding this.

John

-----Original Message-----
From: Marius Etsebeth [mailto:metsebeth@gov.bw]
Sent: 30 July 2002 02:04
To: squid-users@squid-cache.org
Cc: hno@marasystems.com; joe@swelltech.com
Subject: [squid-users] Squid / Firewall-1 question

Hi people,

I have configured a single Squid box to authenticate roughly 6500 users
inside a Gauntlet firewall and it works like a charm.

We are however migrating to a new Checkpoint FW-1. The consultant of the
co. installing the Checkpoint told me that I cannot use the cache peer
setting bellow, as it causes problems with the Checkpoint FW. (Strange,
as Gauntlet is quite happy with it.)

(Note: IP address changed to protect the innocent :)

cache_peer 10.0.8.2 parent 80 0 no-query default

Is this true? Will I be able to use a single cache inside the Checkpoint
firewall or would I need a second (parent) server outside the firewall?

And why can't I use this rule?

Any / all help is appreciated (once again).

Marius Etsebeth