mån 2003-09-01 klockan 10.04 skrev cc: > Henrik Nordstrom wrote: > > > Don't NAT, just route the packets via a different route (policy > > routing). > > What do you mean?
What I say. If you want to redirect packets from a router to a cache server do so by routing. DO NOT USE NAT for the purpose. If you use NAT then you will loose functionality. * Destination NAT breaks HTTP/1.0 clients * Source NAT breaks access controls. Routing does not change the packets, and thus does not break anything assuming all packets belonging to the same session is routed properly. > I'm in the midst of recompiling the kernel with Connmark module > enabled. Perhaps this might be able to help me figure this transparent > proxy out. See Linux advanced routing howto for information on Linux policy routing, and the CONNMARK documentation on how to use CONNMARK. What CONNMARK adds which is not possible without is the ability to set a mark on connections, not only packets. This allows the route policy to apply to ICMP traffic etc belonging to the same session allowing Path-MTU discovery to function. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]