[Shorewall-users] tranparent proxy

Manuel Pompeia Santos mpompeia@arundel.homelinux.org
19 Apr 2002 17:10:04 +0100


--=-wqSnIN3UpLtk3mfLFqWq
Content-Type: multipart/alternative; boundary="=-Q0iHRDWnWQD6G5NnMhuO"


--=-Q0iHRDWnWQD6G5NnMhuO
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Now you see the problem ;)

On Fri, 2002-04-19 at 17:07, Tom Eastep wrote:

    On Fri, 19 Apr 2002, Tom Eastep wrote:
   =20
    > On Fri, 19 Apr 2002, Tom Eastep wrote:
    >=20
    > > On 19 Apr 2002, Manuel Pompeia Santos wrote:
    > >=20
    > > > Thanks for the quick response.
    > > > But the thing is that the client isn't the local network, but the
    > > > firewall itself.
    > > >=20
    > >=20
    > > You can try the following:
    > >=20
    > > ACCEPT	fw	fw::8080	tcp	80	-	all
    > >=20
    > > I know that DNAT in the OUTPUT chain is broken in NetFilter but I'm=
 not sure about=20
    > > REDIRECT.=20
    > >=20
    >=20
    > I've tested something similar here and it seems to work.
    >=20
   =20
    That is to say, the REDIRECT rule works but you are going to be screwed=
=20
    trying to run Squid this way.=20
   =20
    Hint: How is Squid going to be able to connect to remote HTTP sites if =
ALL=20
    requests to connect to HTTP get redirected back to the firewall?
   =20
    -Tom
    --
    Tom Eastep    \ Shorewall - iptables made easy
    AIM: tmeastep  \ http://www.shorewall.net
    ICQ: #60745924  \ teastep@shorewall.net

--=20
http://mpompeia.ods.org

--=-Q0iHRDWnWQD6G5NnMhuO
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; CHARSET=3DUTF-8">
  <META NAME=3D"GENERATOR" CONTENT=3D"GtkHTML/1.0.2">
</HEAD>
<BODY>
Now you see the problem ;)
<BR>

<BR>
On Fri, 2002-04-19 at 17:07, Tom Eastep wrote:
    <BLOCKQUOTE>
<PRE><FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>On Fri, 19 Apr 2002, Tom E=
astep wrote:</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; On Fri, 19 Apr 2002, Tom E=
astep wrote:</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; On 19 Apr 2002, Manue=
l Pompeia Santos wrote:</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; &gt; Thanks for the q=
uick response.</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; &gt; But the thing is=
 that the client isn't the local network, but the</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; &gt; firewall itself.=
</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; &gt; </FONT></FONT></=
I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; You can try the follo=
wing:</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; ACCEPT	fw	fw::8080	tc=
p	80	-	all</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; I know that DNAT in t=
he OUTPUT chain is broken in NetFilter but I'm not sure about </FONT></FONT=
></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; REDIRECT. </FONT></FO=
NT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; &gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; I've tested something simi=
lar here and it seems to work.</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>&gt; </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>That is to say, the REDIRECT ru=
le works but you are going to be screwed </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>trying to run Squid this way. <=
/FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>Hint: How is Squid going to be =
able to connect to remote HTTP sites if ALL </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>requests to connect to HTTP get=
 redirected back to the firewall?</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>-Tom</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>--</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>Tom Eastep    \ Shorewall - ipt=
ables made easy</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>AIM: tmeastep  \ http://www.sho=
rewall.net</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT SIZE=3D"3"><I>ICQ: #60745924&nbsp; \ </FONT><=
/FONT></I><A HREF=3D"mailto:teastep@shorewall.net"><FONT SIZE=3D"3"><I>teas=
tep@shorewall.net</FONT></I></A></PRE>
    </BLOCKQUOTE>
<TABLE CELLSPACING=3D"0" CELLPADDING=3D"0" WIDTH=3D"100%">
<TR>
<TD>
<PRE>--=20
http://mpompeia.ods.org</PRE>
</TD>
</TR>
</TABLE>

</BODY>
</HTML>

--=-Q0iHRDWnWQD6G5NnMhuO--

--=-wqSnIN3UpLtk3mfLFqWq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA8wEFce2qYn+pvHIERAjvFAJ92UqNdQhRIBNX3cHhVK68W5Ei9kwCfaout
LVri3xx2zyT+NhGBGFZemYs=
=kilk
-----END PGP SIGNATURE-----

--=-wqSnIN3UpLtk3mfLFqWq--