[squid-users] Re: Fw: Identify session established between internal and external links

You need to extend the log format to have access to the client port
number. Not available by default. Not sure how easy this is as the client
port is not something Squid cares very much about.

You can get some information regarding the current requests by running
"squidclient mgr:filedescriptors", but it is not so easy.

Regards
Henrik

On Fri, 10 Dec 2004, Andy Low wrote:

> Hi Henrik,
>
> Are you able to assist in my problem below?
>
> Many thanks in advance,
>
> Andy
>
> ----- Original Message -----
> From: "Andy Low" <andy@bgp5.net>
> To: <squid-users@squid-cache.org>
> Sent: Thursday, December 09, 2004 12:02 PM
> Subject: Help: Identify session established between internal and external
> links
>
>
>> Dear all,
>>
>> I have 2 interface cards on my Proxy server.
>>
>> Traffic from internal will redirect out to the external interface.
>>
>> Anyone knows how to identify which session for the incoming traffic is
>> mapped to the outgoing session on proxy. My incoming
>> traffic is PAT (Port Address Translated), the access.log is not helpful as
>> it only provide the "same" source IP address (without the ports).
>>
>> I couldn't tell from "netstat -na" command either, as it just give me a
> list
>> of address and port established.
>>
>> Thank you,
>>
>> Andy
>>
>>
>> ----- Original Message -----
>> From: "Andy Low" <andy@bgp5.net>
>> To: "Alberto Sierra" <albertux@gmail.com>
>> Cc: <squid-users@squid-cache.org>
>> Sent: Wednesday, December 08, 2004 9:30 AM
>> Subject: [squid-users] Tough: NAT port translation
>>
>>
>>> Hi Alberto,
>>>
>>> Thank you for your suggestion.
>>>
>>> For you information, I have 2 different Internet connections. One for
>>> surfing and the second dedicated is for other puposes (like SMTP, FTP
>> etc).
>>>
>>> The surfing link is connected via Squid while the dedicated Internet
> link
>> is
>>> connected through the FW other interface (the default gateway is
>> configured
>>> via this link). If I were to use what you proposed, I will have
> difficulty
>>> redirecting the traffic properly at the FW, the FW cannot perform source
>>> routing and cannot redirect which traffic for surfing (HTTP/ HTTPS) or
>> which
>>> traffic for (FTP, SMTP).
>>>
>>> By placing Squid in the external side of FW, I can redirect traffic to
>> Squid
>>> based on the user's web client proxy settings. I also can redirect
> traffic
>>> to the other link for application which cannot support proxy (as well
>> using
>>> the dedicated link).
>>>
>>> Back to my previous question, anyone knows how to identify which session
>> for
>>> the incoming traffic is mapped to the outgoing session on proxy. My
>> incoming
>>> traffic is PAT (Port Address Translated), the access.log is not helpful
> as
>>> it only provide the "same" source IP address (without the ports).
>>>
>>> Thanks,
>>>
>>> Andy
>>>
>>> ----- Original Message -----
>>> From: "Alberto Sierra" <albertux@gmail.com>
>>> To: "Andy Low" <andy@bgp5.net>
>>> Sent: Wednesday, December 08, 2004 1:29 AM
>>> Subject: Re: [squid-users] NAT port translation
>>>
>>>
>>>> hi andy, im pretty confused with your setup, because is pretty hard to
>>>> identify PAT translation slots even from the firewall itself, but,
>>>> what i'd like to ask you, from a security point of view, and for your
>>>> mental health too, why dont you move the squid to inside the "trusted"
>>>> perimeter and have the requests from the squid to go patted or natted
>>>> through the firewall?? then you'd kill two birds with one shot, you're
>>>> protecting your squid cache, plus keeping track of what your users do.
>>>> like this:
>>>>
>>>> localnet <---> squid <---> firewall <---> internet
>>>>
>>>> Alberto Sierra
>>>>
>>>>
>>>> On Mon, 6 Dec 2004 22:04:02 +0800, Andy Low <andy@bgp5.net> wrote:
>>>>> Hi,
>>>>>
>>>>> I have the following setup:
>>>>>
>>>>> Users <---> FW <---> Squid <---> Internet
>>>>>
>>>>> 1) The firewal (FW) interface, facing Squid is configure with PAT.
>>>>> 2) Squid is listening at port 8080.
>>>>>
>>>>> When I execute "netstat -na" on squid, I see a lot of session
>>> established
>>>>> from FW to Squid and Squid to Internet.
>>>>>
>>>>> May I know to identify the actual session from FW to Internet. Take
>> note
>>> my
>>>>> FW is doing a PAT.
>>>>>
>>>>> This is what appear in "netstat -na":
>>>>>
>>>>> Squid IP address facing FW -- 10.10.10.2
>>>>> FW IP address facing squid -- 10.10.10.1
>>>>> Squid External IP address facing Internet -- 10.10.20.1
>>>>> Internet IP address are public IPs
>>>>>
>>>>> Local Address -- Foreign Address
>>>>> 10.10.10.2:8080 -- 10.10.10.1:12312
>>>>> 10.10.10.2:8080 -- 10.10.10.1:22341
>>>>> 10.10.10.2:8080 -- 10.10.10.1:33810
>>>>> 10.10.10.2:8080 -- 10.10.10.1:33879
>>>>> ...
>>>>> 10.10.20.1:22091 -- InternetIP1:12312
>>>>> 10.10.20.1:22092 -- InternetIP2:22341
>>>>> 10.10.20.1:22093 -- InternetIP3:33810
>>>>> 10.10.20.1:22109 -- InternetIP4:33879
>>>>> ..
>>>>>
>>>>> My access.log access logs are not help, all I can is only the FW IP
>>> address
>>>>> (10.10.10.1) (PAT).
>>>>> 1231231231.004 5678 10.10.10.1 TCP_MISS ......
>>>>> 1231231567.020 23 10.10.10.1 TCP_MISS ......
>>>>> 1231231688.027 69 10.10.10.1 TCP_MISS ......
>>>>> 1231231899.004 430 10.10.10.1 TCP_MISS ......
>>>>>
>>>>> Is there a way to find out how Squid translate internally, meaning
>>> session
>>>>> from "10.10.10.1:22341" is the same session for "10.10.20.1:22092".
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>
>>
>
Received on Fri Dec 10 2004 - 02:07:04 MST