Re: [squid-users] Proper use of the tcp_outgoing_address tag on a multi homed OpenBSD3.1 host from Sam Stern on 2003-01-04 (squid-users)

From: Sam Stern <samstern@dont-contact.us>
Date: Sat, 04 Jan 2003 11:06:14 -0500

Henrik Nordstrom wrote:
> Sam Stern wrote:
>
>
>>Here is an example tag line:
>>
>>acl external_2 src 1.1.1.2/255.255.255.255
>>tcp_outgoing_address 192.168.0.60 external_2
>>
>>This line SHOULD render external traffic from 192.168.0.60 as 1.1.1.2
>
>
> The above tells Squid that it should use 192.168.0.60 as IP address if
> the request came from a client with IP address 1.1.1.2.
>
> The address on the tcp_outgoing_address is the address Squid should use.
>
> The acl's listed (if any) is the conditions that must be fulfilled for
> this IP address to be used.
>
> The first matching tcp_outgoing_address is used.
>
> Regards
> Henrik

Hi Henrik,

Thanks for your note. You are correct -- I had the tag order reversed.
It's a real pity that Emacs twiddle mode does not work for these
instances :>

For those searching the archives, the correct tag order was:

# Map 192.168.0.60 to external 1.1.1.2
acl internal_60 src 192.168.0.60/255.255.255.255
tcp_outgoing_address 1.1.1.2 internal_60
# Default Map to 1.1.1.3
tcp_outgoing_address 1.1.1.3

Also for the archives, I've received two requests for an easy way to
verify one's external appearing IP and to test that there is indeed some
form of TCP/IP separation occurring. You may use your favorite external
security scanner site to verify one's external IP and to scan your
apparent IP (only if you have permission from the network owner, etc,
IANL, blah blah)

Here are the three scanners I use and replied to the questions with:

Basic Scan:
Shield's UP!
https://grc.com/x/ne.dll?bh0bkyd2
NB: Main site is http://www.grc.com
Clicking either site reveals one's IP.

DSL REports Slow Scanner
http://www.dslreports.com/secureme_go
press the "My Public IP is" Button for your external IP.

Advanced Scanner:
http://www.pcflank.com
NB: It now appears down, try again later

Please note that none of these scans replace a good security policy nor
individual audits. Also, they will not stop such problems as revealed in
the current thread about "Gotomypc.com" (Using HTTP tunneled services
bypasses TCP separation schemes).

Thanks for your time!

Sam Stern
Glen Burnie, MD, USA
Received on Sat Jan 04 2003 - 09:06:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:27 MST