Re: [squid-users] Re: Squid + DansGuardian + Bridging from Amos Jeffries on 2013-09-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 20 Sep 2013 16:10:27 +1200

On 20/09/2013 3:55 p.m., psd17j-jacob wrote:
>> Where is this bridge sitting in the network level?
>> please share your situation in more details.
> Sure! So we have the NOC MDF > proxy (in through eth0) //bridge (out eth1)
>> router > ComCast.
>
> Amos Jeffries-2 wrote
>> The proxy operates on top of the *routing* component of the kernel. As
>> you can note from the ebtables rules you have to bump the traffic out of
>> the bridge into routing systems for iptables rules to send to the proxy.
>> You may as well setup the box as a normal router (with VLAN routing) if
>> that is easier than to implement the bridging. With the correct ebtables
>> rules shifting traffic to routing the presence or absence of bridging
>> should be irrelevant to the proxy operation.
>>
>> Another thing adding complexity is your usage of DansGuardian. It is a
>> basic filtering proxy, not a fully-featured proxy like Squid. So things
>> like the iptables MARK and QoS TOS/DSCP values are not even passed
>> through it for Squid to make use of. This is simpler to fix since Squid
>> can do anything DG can (just differently) you can drop the DG component
>> entirely and just use Squid access controls.
>>
>> Amos
> Hi Amos,
>
> Thanks for your reply. I appreciate it. Basically I was simply following a
> few guides I had found online on how to set this up. My understanding was
> that you had to use vLAN tagging (the IP of br0 and br0.9 are on vLAN 9) but
> from what you are saying, I gather we can just use br0?
>
> The usage of DG was simply what was addressed in the guides I followed, and
> it seemed like a simple enough interface (via webmin) for the person who
> administers the deny/allow lists to access (he's 73 years old). If you have
> other suggestions please do let me know.
>
> Are there any obvious flaws you see with the way things are routed and
> brouted? Am I missing something?

I think so. The TPROXY guide contains the best ebtables rules for
running Squid on a bridge (I'm not sure why this is missing from the
other interception config examples - should be in all of them). You seem
to be missing the DROP portion of the rules, and are also trying to pull
IPv6 port details out of IPv4 packets. You need ebtables rules to handle
IPv4 packets separately from IPv6 packets, with the matching version
port details located specially in each rule.

http://wiki.squid-cache.org/Features/Tproxy4#ebtables_on_a_Bridging_device

Amos
Received on Fri Sep 20 2013 - 04:10:33 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 20 2013 - 12:00:05 MDT