[squid-users] Question in WCCP with tproxy with cisco ACLS &Optimization

hi ,
here i have two questions :
i have toplogy below :
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661995/f5vnD.jpg>

as we see above on image ive posted the cisco wccp config , and im assuming
config from squid is fine.

now assume i have client x of ip 1.2.3.4 want to go to internet , and it is
the only user in my topology that want to go to internet,
so, my acls on router will be as :
===================================
ip access-list ex xxx
permit tcp host 1.2.3.4 any eq 80

ip access-list ex yyy
permit tcp 80 any 1.2.3.4
======================================
Question #1
im talking about the acl yyy
i found that if i confoigured the acl yyy as :
permit ip any 1.2.3.4

it will also let wccp with router and squid fine ,

but here i have question:
the 1st acl of yyy says that only www traffic that passed in squid , will be
return back to squid when it comes from internet.

but the 2nd acl of yyy says that all other traffic will come back to squid ,
which in my idea not fine
i mean that in the 2nd acl , the https , pop3 , ftp , etc >>>> will pass in
squid when traffic come back from internet , because it was matched with acl
yyy that has the service 90 that responsible of returning traffic from
internet to squid .

so , i find that www traffic will be redirected to squid when matched by
service 80 and all other traffic of user 1.2.3.4 will pass in squid when it
return back from internet when match by service 90 .

my question here , i want a discussions about this point , am i right
when i discussed above ??
if not plz clarify .

=================================================================

Question # 2

sometimes i want some users to enter squid as squidguard , not for caching
. and dont them cache any objects
so ,
i try to let them match the service 80 , then they will be redirected to
squid and be checked for squiduard and i configure cache_deny for them ."
so them will not pull from squid "

but i dont want them to be matched by service 90 that will pump them in
squid when they come from internet.

so ,
what i do is , i just modify the cisco acls as below , and assume we are
on the same example of ip 1.2.3.4 :

ip access-list extended xxx
permit tcp host 1.2.3.4 any eq 80

ip access-list extended yyy
deny tcp 80 any 1.2.3.4

as we see, i denied the traffic of serive 90 to be redirected from internet
into squid ,

but ..............

if i do that , the client 1.2.3.4 no longer can access internet
????!!!!!!! and very small access.log in squid " not sure from this point
about access.log as i remember "

i dont know whey when i block client x from serivce 90 and allow him in
service 80 it cant access internet ,

?????

do i miss something about tproxy and wccp at this point ???

but again , if i denied him from service 80 acl and let him being matched
from service 90 acl ,
the client can access internet but not redirected in squid .

wish to clarify , and wish to know how let users only being checked by
squidguard & not cache any object and not pull any object from squid.

thanks alot .

with my best regards

-----
Mr.Ahmad

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-in-WCCP-with-tproxy-with-cisco-ACLS-Optimization-tp4661995.html
Sent from the Squid - Users mailing list archive at Nabble.com.