Greetings...
I am going to test an OpenBSD server with Squid tcp_outgoing_address
and NAT. However I have to wait since the test server is allready
running other tests.
While I was planning to do this I asked my self if it was possible to
assign each client that connects to Squid a port range for the
outgoing request.
With tcp_outgoing_address set to private IPs I had first to create
these private IPs as aliasses for Squid to bind the outgoing requests
on then static NAT to the client IPs. Without the aliases squid just
returns a socket error message. (this happend on my current test
server using FreeBSD and IPFILTER/IPNAT).
Just a crazy thought but if Squid would allow me to assign for each
client IP a source port range for Squid uses to query the destination,
then I would just need to policy NAT Squid's port range for each
client.
Oh man my english ain't that good so I'll just explain using "computer english"
client 10.0.0.1 connects to squid (never mind the private IP it's just
an example).
squid.conf has
header_access Via deny all
header_access X-Forwarded-For deny all
Squid ACL assigns for this client an outgoing "source" port range (eg.
2100-2199).
Using this port range we NAT Squid's IP to the client IP
<ipfilter/ipnat>
bimap $ext_if from $squid_ip port 2100><2199 to 0.0.0.0/0 port = 80 ->
$client_ip
Oh well... Just wanted to share this crazy idea with you guys so read
it and think, laugh or reply.
PS: I have always used FreeBSD with IPFW so please excuse my lack of
knowledge regarding IPFILTER/IPNAT and OpenBSD PF. Just trying to
learn things the hard way.
-- Kind regards Abu KhaledReceived on Wed Jun 01 2005 - 21:27:04 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT