Hi All, We are using a transparent proxy on our LAN. The redirection is handled by the firewall which is running Shorewall-Perl 4.0.4-1. The method for achieving this is exactly as laid out in the Shorewall docs: http://www.shorewall.net/Shorewall_Squid_Usage.html
Now for the strange part. Some of our users, all Mac OSX 10.5.1, get their routing tables hosed when using transparent proxy. The sequence goes like this: 1. Open a URL in a DMZ eg, https://mail.lan.domain.com/ This will work and display our webmail interface. 2. Now open the same URL without the SSL (ie, http://mail.lan...) This time the transparent proxy rule is invoked, and the client receives an ICMP-redirect to use the proxy. Unfortunately this rewrites the route for the internal mail server with the proxy as the gateway! If you swap the sequence, the SSL site will fail as the route has already been rewritten by accessing over port 80 and the proxy wont transparently handle SSL traffic (nor should it!). Here's an example before the ICMP-redirect: iceman:~ james$ sudo route get mail route to: mail destination: default mask: default gateway: firewall interface: en1 flags: <UP,GATEWAY,DONE,STATIC,PRCLONING> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 0 Here's what the route monitor has to say: got message of size 140 on Mon Dec 3 14:22:55 2007 RTM_REDIRECT: Told to use different route: len 140, pid: 0, seq 0, errno 0, flags:<GATEWAY,HOST,MODIFIED,DONE> locks: inits: sockaddrs: <DST,GATEWAY,AUTHOR> mail proxy1 firewall And after this ICMP-redirect the route looks like this: iceman:~ james$ sudo route get mail Password: route to: mail destination: mail gateway: proxy1 interface: en1 flags: <UP,GATEWAY,HOST,MODIFIED,DONE,WASCLONED,PROTO3> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 571 Obviously there is the option to tell browsers to use the proxy manually, and that will avoid the problem. However, that is a work-around, not a solution in our situation. So my question to the list is whether or not there is a better way to do this (WCCP with Shorewall and Squid maybe)? Using ICMP-redirect with OSX clients breaks routing to our DMZ's (we have two). Thanks in advance, James -- A motion to adjourn is always in order.
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
