On 04.07.2012 15:54, Ezequiel Birman wrote:
>>>>>> "Eliezer" == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes:
>
<snip>
> No problem, I've used bind before. Sorry to ask this on squid-users
> but
> did anyone try pdnsd (http://members.home.nl/p.a.rombouts/pdnsd/),
> pdns-recursor, dnsmasq (not sure if it caches/recurses), djbdns,
> dnrd,
> unbound, yadifa or others? I ask because maybe a full-blown DNS
> server
> is not needed this time.
I'm aware of people using dnsmasq, djbdns and pdnsd. Have not heard of
the others, thank you for the tidbits.
The resolver does not matter as long as it performs recursive DNS
properly. Both Squid and the client will be sending it DNS packets as
their interface.
>
> >>
> >> > using this setup you can test settings very easily on part
> of
> >> the > clients or test computer.
> >>
> >> > for network usage analysis you can use ntop, it also gives
> p2p
> >> and > other protocols detection.
> >>
> >> I am trying it right now, nice!
> >>
> >> > so the setup i propose is not from your list:
> >>
> >> > 5) wan1---+--------+ +------------+ | >
> >> RV042 |---|squid\bridge|--switch-+--[lan clients] >
> >> wan2---+--------+ +------------+
> >>
> >> > - RV042 = LB and wan gatway. - squid = brdige + NTOP + p2p
> >
> >> block\throttling + http cache
> >>
> >> Thanks, I am giving it a try.
> >>
> >> I'll start by following
> >>
> >>
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
> >>
> > this is a good way to start but it wont be a transparent proxy
> but
> > a "nat" proxy but it can be good for your needs as anyway you
> have
> > nat in the RV042.
>
> Are you sure? The only mention to nat in is in order to redirect port
> 80
> to 3128 on squid box. This is the intro:
Yes. There are 4 protocol layers involved.
ebtables - rules stops it being a bridge "transparent relay/proxy" and
makes it routed traffic.
iptables - rules use NAT (interception proxy) instead of TPROXY
(transparent proxy).
squid - config file uses URL-rewriters to prevent Squid being a HTTP
protocol "transparent proxy" (HTTP definition of "transparent proxy" is
the Squid default behaviour).
There is a lot of people confused by the meaning of the word
"transparent". With good reason, it has been used out of context so
much.
>
> "This document (based on this article[1] with some updates and
> additions) explains how to put into production a Bridge device
> running a
> Squid interception web proxy on a Linux Debian 6 system. Since the
> proxy
> is performing transparent interception, LAN users are able to surf
> the
> web without having to set manually the proxy address in their
> browser.
>
> This document also details how to set up a few useful features such
> as
> web filtering (via Squirm) and usage monitoring (via SARG).
>
> First of all, you need a Linux box with two network interfaces that
> we'll set up as a bridge. We'll assume that eth0 is connected
> downstream
> to the LAN, while eth1 provides upstream access to the Internet."
>
>
> >> which seems similar to what i am trying to achive. If I am
> >> mistaken, please let me know.
> >>
> >> and also most of http://wiki.squid-cache.org/Features/Tproxy4
> > tproxy will ggive you the benefit of some graphing tools with a
> > more accurate vision on your clients requests.
>
>
> > update me
>
> > Regards, Eliezer
> >>
> >> > things you should consider about pfsense and ClearOS: - they
> do
> >> > have nice web interface but lack updated software. - they
> take
> >> up > from your machine more then you need. - they leave you
> in
> >> the big > cloud of "what to h### happen when i did apply???"
> >>
> >> > about accessing the squid in this setup the box is behind
> nat
> >> so > it's ok and if you will every decide that you want the
> squid
> >> to > take over the RV042 LB and dhcp you can just use iptables
> to
> >> block > access to squid port or bind squid only to local net
> port
> >> and > of-course the basic way of acls to allow only local
> users
> >> access.
> >>
> >> > about content filtering: i prefer to use squidguard and not
> >
> >> danshguardian. there always the option of using some icap
> server
> >> > such as qlprpxy.
>
> A quick google search tends to favor dansguardian. Why do you prefer
> squidguard? Is it still being developed?
>
SG is an internal helper. Access controls are written in squid.conf
only. Squid passes it a limited amount of data to work with and
manipulates the HTTP request based on the response.
DG is a proxy separate from Squid. With access controls being written
in one or the other, sometimes both.
Amos
Received on Wed Jul 04 2012 - 04:16:22 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 05 2012 - 12:00:02 MDT