Re: [squid-users] Selecting source port on squid's requests

Dan Cave wrote:
>
> Andrei
>
> If you can, find out from your firewall admin if you can point your squid
> cache at teh firewall's internal facing address on a internet facing port,
> you can then use the cache_peer like this.
>
> cache_peer <ip of firewall> parent <port> 0 no-query default

I really don't understand what this will do coupled with the firewall...

What do you mean by "internal facing address _on_ a internet facing
port" ?

As I understand, squid would want to use the firewall's internal ip:port
as a parent cache? How will this connect to origin servers then?

> this will make your squid cache talk to the internet via your firewall.
 
> I don't believe that you can configure squid to use a specifc range of IP
> ports for outgoing requests as this is something thats handles in the ip
> stack and by portmapper, the above directive will achieve this for you.
I was afraid there wasn't support for anything like this in squid.

> With regards to netfilter, are you doing transparent proxying between your
> clients and your IP filter/squid proxy to the firewall? I'm not clear on
> this?
No transparent proxy.

> > How can I configure squid with acl based source port ranges for the
> > requests squid makes to origin servers?
> >
> > Squid has the feature "tcp_outgoing_address" for selecting source IP for
> > outgoing packets to servers and other caches.
> >
> > System is linux.
> > I would like something like the following:
> >
> > acl net1 src 1.2.3.0/24
> > acl net2 dst 2.3.4.0/24
> > ... etc
> >
> > # using same notation as delay pool restore/max value
> > tcp_outgoing_ports 10000/10999 allow net1
> > tcp_outgoing_ports 11000/11999 allow net2
> >
> > On linux /proc/sys/net/ipv4/ip_local_port_range defines the range of
> > source ports automatically assigned to a tcp/udp packet if source port
> > is not specifically defined by the application.
> > I want squid to use, for connection it makes to servers and other
> > caches, ports in user-defined ranges, on acl rules.
> >
> > Reason for this is the following:
> > - squid is behind a firewall
> > - firewall is on another machine.
> > - firewall uses multiple ISPs and does policy routing and traffic
> > control.
> >
> > I have a squid proxy that serves some clients behind it and it can
> > connect to the internet only through the firewall described above.
> > I have 1 ip on squid and I can't touch it.
> > I have to make a clear differentiation that is distinguishable at packet
> > level by netfilter between different types of traffic handled by squid.
> > Since rules include both destination networks and source networks
> > (behind squid) and some url_regex (mainly cgi stuff), the above
> > workaround is the only solution I could come up with that will make
> > traffic generated by squid distinguishable to ipchains/iptables/tc
> > filter...
> >
> > Any suggestions are welcome.
> >
> > Thank you.
> >
> > --
> > Choose not to choose! Let Micro$oft do it for you!
> > Or... the Penguin shall set you free...
> > ------
> > Andrix
> > E-mail: mailto:andrix@fx.ro
> > Web : http://members.tripod.com/andrei_b

-- 
Choose not to choose! Let Micro$oft do it for you!
Or... the Penguin shall set you free...
------
Andrix
E-mail: mailto:andrix@fx.ro
Web   : http://members.tripod.com/andrei_b