Re: [squid-users] Multihomed Squid Box

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 4 Nov 2003 09:56:21 +0100 (CET)

On Tue, 4 Nov 2003, Andrew wrote:

> I am running Squid on FreeBSD with two NICs.
> Lets say for example, NIC1 = 1.1.1.1 and NIC2 = 2.2.2.1.
> And my default gateway is 1.1.1.2 (the gateway (router) also has an IP
> address of 2.2.2.2 but we use 1.1.1.2 as the gateway)
> I have bound Squid to the 2.2.2.1 IP address.

Hmm.. I don't quite get your setup here... what does your physical network
look like?

> When Squid goes and requests something from the internet, how can I be
> sure that it will ONLY be received/downloaded by NIC2? Does the binding
> affect this? Or is this a kernel thing (I would need to run BGP or
> something?)

This is a routing and access control question. There is two ways to
approach your question

a) If your network is private and without routing to the Internet, make
Squid always use an Internet address (tcp_outgoing_address). As a
sub-option of this alternative (when the internal network has routing to
the Internet) use policy routing and/or firewalling to make sure this
Interent address is not allowed to talk to your internal network.

b) Access controls in Squid, denying any requests with destination in the
internal networks, best done using dst type ACL.
  
  [insert somewhere before your first custom http_access allow rule]

  # Deny any attempts to access our internal networks via the proxy
  acl to_internal_net dst 192.168.1.0/24 ...
  http_access deny to_internal_net

My advice is to use approach 'b'. It is tricky to get 'a' correct, and
often the conditions which uphold the restriction in 'a' changes over time
often invalidating the setup, suddenly allowing the proxy to reach
internal resources when other components in the network change.

Regards
Henrik
Received on Tue Nov 04 2003 - 01:56:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:05 MST