Shorewall users - Aug 2003 - "Squid Running in the local network" -- question

Hi All,

I''m currently running RHat8(2.4.20-19.8) and shorewall-1.4.5-1 ... I
have
2 Linux box and both have 2 LAN cards, eth0 (net) eth1 (loc) ... The
primary server is our local gateway server and the second server is our
transparent proxy server ... I have followed the instruction "Squid
Running in the local network" and it works fine ... But I''m not
sure what
does "This setup may conflict with other aspects of your gateway" mean
as
it was not recomended by Tom as well ... What is compromised on the
primary server if this was implemented ... I''m not sure either if what
I
have configured "Squid Running in the local network" is a good idea
...

My second server is our SecondaryDNS while our primary is the PrimaryDNS
... The current load on the primary server is quite heavy due to mails and
other stuff so I have planned to transfer the squid proxy server to the
secondary server.

Please advise if what I have done is correct and what is compromised due
to this setup ... If this setup is not good, can anybody advise what is
the better setup ? ...

Thank you very much in advance and hope to hear from anybody ... c",)


Many Thanks n BRgds,
Stephen

On Fri, 2003-08-08 at 22:43, stephen.dormido@sbgfc.org.ph
wrote:
> Hi All,
> 
> I''m currently running RHat8(2.4.20-19.8) and shorewall-1.4.5-1 ...
I have
> 2 Linux box and both have 2 LAN cards, eth0 (net) eth1 (loc) ... The
> primary server is our local gateway server and the second server is our
> transparent proxy server ... I have followed the instruction "Squid
> Running in the local network" and it works fine ... But I''m
not sure what
> does "This setup may conflict with other aspects of your gateway"
mean as
> it was not recomended by Tom as well ... What is compromised on the
> primary server if this was implemented ... I''m not sure either if
what I
> have configured "Squid Running in the local network" is a good
idea ...
It doesn''t compromise anything -- it simply complicates your life if
you
want to use fwmark for traffic shaping as you are already marking some
packets for routing table selection. 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 2003-08-09 at 07:56, Tom Eastep wrote:
> 
> It doesn''t compromise anything -- it simply complicates your life
if you
> want to use fwmark for traffic shaping as you are already marking some
> packets for routing table selection. 
> 
You know -- after I thought this over some more, I have no idea why I
wrote that warning in as much as the DMZ setup has exactly the same
characteristics. Given that, I''ll remove the warning from the
documentation.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom,

Thank you so much for replying ... c",)

So far everything works fine ... I just noticed recently that accessing
the web is quite slow compared when I''m running proxy on the Primary
server ... Is this the down side of "Squid Running in the local
network" ?
or maybe I have misconfigured something ...

Just wanted to say as well Thank you for sharing Shorewall for the rest of
us ...  because it is the best software I''ve ever used ... c",)


Warm Regards,
Stephen


> On Fri, 2003-08-08 at 22:43, stephen.dormido@sbgfc.org.ph wrote:
>> Hi All,
>>
>> I''m currently running RHat8(2.4.20-19.8) and shorewall-1.4.5-1
... I
>> have
>> 2 Linux box and both have 2 LAN cards, eth0 (net) eth1 (loc) ... The
>> primary server is our local gateway server and the second server is our
>> transparent proxy server ... I have followed the instruction
"Squid
>> Running in the local network" and it works fine ... But
I''m not sure
>> what
>> does "This setup may conflict with other aspects of your
gateway" mean
>> as
>> it was not recomended by Tom as well ... What is compromised on the
>> primary server if this was implemented ... I''m not sure either
if what I
>> have configured "Squid Running in the local network" is a
good idea ...
>
> It doesn''t compromise anything -- it simply complicates your life
if you
> want to use fwmark for traffic shaping as you are already marking some
> packets for routing table selection.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>

On Sun, 2003-08-10 at 21:35, stephen.dormido@sbgfc.org.ph wrote:
> So far everything works fine ... I just noticed recently that accessing
> the web is quite slow compared when I''m running proxy on the
Primary
> server ... Is this the down side of "Squid Running in the local
network" ?
> or maybe I have misconfigured something ...
Probably the latter...
> 
> Just wanted to say as well Thank you for sharing Shorewall for the rest of
> us ...  because it is the best software I''ve ever used ...
c",)
> 
You''re welcome.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 2003-08-11 at 06:44, Tom Eastep wrote:
> On Sun, 2003-08-10 at 21:35, stephen.dormido@sbgfc.org.ph wrote:
> 
> > So far everything works fine ... I just noticed recently that
accessing
> > the web is quite slow compared when I''m running proxy on the
Primary
> > server ... Is this the down side of "Squid Running in the local
network" ?
> > or maybe I have misconfigured something ...
> 
> Probably the latter...
> 
Although there have been cases in the past where this type of
application (heavy local<->local traffic being passed through a single
NIC on the firewall) uncovered problems in the local NIC or its driver
that caused performance problems.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net