Mike Purnell wrote: >>> Just to ensure we are not chasing around in circles, the "danguardian's >>> box" is the firewall that is running shorewall, and that the lan clients >>> are using the "dan's box" as their default gateway? >>> >>> Maybe I need a dump here... >>> >> In addition to the dump, the output of 'netstat -tnap' on the firewall would >> also be enlightening. >> >> One thing -- https CANNOT be transparently proxied. You must manually >> configure a proxy for HTTPS. >> >> This is described at http://www.shorewall.net/Shorewall_Squid_Usage.htm >> >> -Tom >> > Tom, Thanks for the bit about https > > Jerry, Yes, the gateway is firewall, squid caching server, and > dansguardian box > > The beginning of the thread explained that dansguardian was the late > addition to a configuration that worked fine as a transparent proxy (via > squid). The issue was adding dansguardian and configuring shorewall so > that clients on the lan would continue with transparent proxy as: > lan-based_http_request --> dansguardian --> squid --> Internet *** > > I was able to think this through and realize how I needed to change my > shorewall rules to reflect the new circumstances. I had previously left > the rule in place for transparent proxying through squid: > > REDIRECT loc 3128 tcp 80
Glad you got it to go, the above appeared before the new dan's rule, correct? First rule match wins in the rules file. > > This needed to be changed as follows, in order to redirect dansguardian > --> squid: > > REDIRECT loc 3128 tcp 8080 > This looks a little bogus to me, the dan's -> squid traffic is local to the firewall, is in the zone "fw", and should occur over the loopback interface. This will catch clients trying to use squid directly and force them to use dansguardian, so it's not a bad thing. FWIW, you could bind squid to the loopback only and then none of the lan clients could contact squid directly. Does it work if you leave this redirect out? It should, unless the browser has proxy settings in it. > Then, I needed to redirect requests on port 80 --> dansguardian: > > REDIRECT loc 8080 tcp 80 > That one makes sense to me. > Everything seems hunky-dory now. > Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
