On 3/05/2013 11:50 a.m., John Yoon wrote:
>> The NAT operation *MUST*, absolutely *MUST*, be performed on the Squid box and nowhere else on the path between Squid and clients.
> I am buying a new router that has enough ROM and RAM to support
> openwrt + squid, for the security reasons and also because my
> ARM-based server does not have a proper 'iptables' available. Thanks
> for that emphasis. I re-read the original post and saw that you also
> point out that the dd-wrt wiki page is wrong. It was very confusing
> for me as not only the wiki-page, but several blog pages posted
> how-to's that attested aforementioned setup worked. One post were less
> than a year old!
>
>> The configuration for OpenWRT device is in fact a completely different setup
> There is section called 'When Squid is in a DMZ between the router and
> Internet' which is exactly what 'Ethan H' was trying to achieve. And
> you responded.
>>> The kernel routing layer does the routing based on the firewall markings
> It Is the reason why OpenWRT works but not DD-WRT? Due to the
> difference in the kernel routing layer? Or does the same rule apply
> and NAT operation *Must* be performed for OpenWRT as well?
They should be the same. The "must" is because of how NAT changes the
packet.
The difference is in which particular Squid version the blogger is
using, some say "3.2" without explaining it was an old beta release
before the final security patches were in., or even just "Squid" meaning
3.1 or older.
> On Wed, May 1, 2013 at 6:40 PM, Amos Jeffries-2 wrote:
>> On 2/05/2013 10:23 a.m., prometheus wrote:
>>> Were you able to get this to work? I am having the same problem.
>> The problem is that DNAT whenever used *erases* critical information
>> which Squid-3.2+ require. The NAT operation *MUST*, absolutely *MUST*,
>> be performed on the Squid box and nowhere else on the path between Squid
>> and clients.
>>
>> Please go back and re-read the "outline" section on
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat for
>> details on DNAT configuration.
>>
>> The configuration for OpenWRT device is in fact a completely different
>> setup, which is one of the cases detailed in
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute.
>>
>> Amos
>>
>>
>> ________________________________
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Interception-Proxy-3-3-tp4659288p4659755.html
>> To unsubscribe from Squid Interception Proxy (3.3), click here.
>> NAML
Received on Fri May 03 2013 - 07:35:28 MDT
This archive was generated by hypermail 2.2.0 : Fri May 03 2013 - 12:00:13 MDT