thanks guys!
dave - your idea of having additional nics is not feasible in my case.
i didnt mention it in my earlier mail, but its TrinityOS firewall, just
for information sake. So that you can get a good idea. my firewall is
almost as it is given by them. even my network setup is the same. they
have mentioned it in their documentation that you can forward all port 80
etc. connection to an internal masqueraded machine. i tried doing
ipmasqadm as mentioned in there, but it didnt work.
as for your second idea, its fine if all the clients are within the
network. but i have to give access to clients outside the firewall. so
they can't configure their browser to make the squid machine as the proxy,
coz the IP of squid is not recognized outside the firewall.
boyle - i did try doing ipmasqadm portfw .......
do i have to start httpd service for accepting traffic ? coz i don't want
to. i just want the server running firewall to forward http to the squid
box.
thanks again
pranav
*******************************************************************
Pranav A. Desai
4309 Pease Street, Apt #6
Houston, TX - 77023
U.S.A.
Home :- (713) 926-1045
*******************************************************************
On Thu, 10 Aug 2000, dave wrote:
> hi,
>
> ipchains will only allow you to redirect to a local port on the host,
>
> ie: if squid was running on the local box (firewall) the you could do
> ipchains -A input -s $any -d $any 80:80 -i eth0 -j REDIRECT 3128
>
> (you can bind squid to a different port but purpose remains the same)
>
> now if you dont want to run squid on the firewall you would have to route
> the traffic to it, which effectively will route all internal traffic to
> the squid box. You could then add your ipchains rulset on the squid box.
> You would then have to configure another nic on the squid box to connect
> to another nic on the firewall which would then route traffic to the wan
> device. picture it like this:
>
> [clinet]--------[e0-firewall] [e2-firewall]-----[router/wan]
> [e1-firewall] |
> | |
> | |
> | |
> [e0-squid]------------[e1-squid]
>
> so the firewall would effectively operate as redirector for traffic.
> you could allow whatever other traffic passive traversal and redirect
> squid.
>
> now does this seem insane? why do you want to house squid on a seperate
> box anyway, you could as easily beef up a single box and run squid.
>
> NOW...heres the INSANE part, squid is a web proxy, browsers are web proxy
> configurable, why dont you deny port 80 on the firewall from all hosts bar
> the squid box and simply config all clients for squid proxying in their
> browser settings.
>
> just an idea.
>
> regards,
> dave.
>
> > hi!
> > i have a firewall on a linux machine. its basically a packet filtering
> > one. i have installed squid on one of the machine in my network.
> > i want to redirect all http traffic coming to the firewall to this
> > machine having squid. i dont want to install squid on the firewall, i
> > just want it to forward all http packets to the squid machine.
> > how can i do this?
> > i tried a few things with ipchains.
> >
> > ipchains input -i eth1 -j accept -s $ALL -d $EXTIP 80
> >
> > but it didnt work.
> > do i need to do anything specific.
> >
> >
> >
> > thank you
> > --pranav.
> > *******************************************************************
> >
> > Pranav A. Desai
> > 4309 Pease Street, Apt #6
> > Houston, TX - 77023
> > U.S.A.
> >
> > Home :- (713) 926-1045
> >
> > *******************************************************************
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> +-----------------------------+
> | Dave Ryan |
> | Default Security |
> | http://www.default.org.uk |
> +-----------------------------+
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
