Hi, I want forward port 21 and 443 to my squid. A simply rule (dnat) didnt help me. My http - port (only 80) will forwarded to my squid. It runs fine. Here I have used the HowTo from Tom and the hints from http://lartc.org/. I want to do the same with port 21 as port 80. My network: Shorewall: eth0 net (192.168.108.1) eth1 dmz (192.168.109.1) eth2 loc (192.168.110.1) eth3 loc1 (192.168.111.1) squid 192.168.109.2 I want that every traffic (21,443,80 etc) from loc to net automaticaly go through squid. If I used the proxy entries in my browser it works very well, But I think that any of peoble here will delete the entries in browser and so on, I need it automaticaly. Regards from Menki. God uses LINUX!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote:> Hi, > > I want forward port 21 and 443 to my squid. A simply rule (dnat) didnt > help me.It''s very unclear what you mean by that.> My http - port (only 80) will forwarded to my squid. It runs > fine. Here I have used the HowTo from Tom and the hints from > http://lartc.org/. > I want to do the same with port 21 as port 80. > > My network: > > Shorewall: > eth0 net (192.168.108.1) > eth1 dmz (192.168.109.1) > eth2 loc (192.168.110.1) > eth3 loc1 (192.168.111.1) > > squid 192.168.109.2 > > I want that every traffic (21,443,80 etc) from loc to net automaticaly > go through squid. > If I used the proxy entries in my browser it works very well, But I > think that any of peoble here will delete the entries in browser and > so on, I need it automaticaly. >You *cannot* transparently proxy HTTPS. Think about it for a minute; if HTTPS could be transparently proxied, would *you* want to use it for sending sensitive personal or financial information????? Another point -- if you don''t want people to bypass your proxy then why don''t you just add rules to prevent them for doing so: REJECT loc net tcp 443,21 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBcoVhO/MAbZfjDLIRAuFbAJ9ziNOlfF+madorchfhdcH6zG+QQwCgr5Ds yK2GFoQoO6d7G0yDsAQbzPk=tMj8 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote:> Per example I could runnning a transparent ftp - proxy on the squidmachine. Here will be the same problem, is''nt it ?>I don''t know if FTP will work transparently or not -- does the Squid documentation say that it will work? - -Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBcpIeO/MAbZfjDLIRAsWoAJ9g7AHYtr0uRPAy2jJAE25YuTqxLwCgjLws +sTT3BK3sPeZ0cSX3oamnk8=hpET -----END PGP SIGNATURE-----
> Hash: SHA1> Michael Menkhoff wrote:>> Per example I could runnning a transparent ftp - proxy on the squid > machine. Here will be the same problem, is''nt it ? >>> I don''t know if FTP will work transparently or not -- does the Squid > documentation say that it will work?> - -Tom > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org> iD8DBQFBcpIeO/MAbZfjDLIRAsWoAJ9g7AHYtr0uRPAy2jJAE25YuTqxLwCgjLws > +sTT3BK3sPeZ0cSX3oamnk8> =hpET > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHi Tom, it looks like so.... Squid runs as transparent proxy. If I make in browser entries, only the network adresses, not the ports, all traffic, also FTP, runs over the squid. It is''nt the question, if the transparent proxy named squid or other software. If I go the direct way via network adress in browser, the way through squid is correctly. I can look it in browser window, but if there are no entries in browser, it should also go. Sorry Tom, if I not really so good as you with iptables and such stuff. Regards Menki
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote:> > it looks like so.... > > Squid runs as transparent proxy.If I make in browser entries, only thenetwork adresses, not the ports, all traffic, also FTP, runs over the squid. It is''nt the question, if the transparent proxy named squid or other software.> > If I go the direct way via network adress in browser, the way throughsquid is correctly. I can look it in browser window, but if there are no entries in browser, it should also go.> > Sorry Tom, if I not really so good as you with iptables and such stuff.Can anyone on the list understand what Michael is saying/asking? I can''t... Also, does anyone have any experience with Squid and Transparent proxying of FTP? I really don''t want to spend my Sunday playing with Squid.... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBcqFaO/MAbZfjDLIRAtZfAJ0ZyLYJKh5ebH5A62wKswcxze9a7gCeJnFN 6Kbvyf1RHpkolvQNRjGon1c=4Vnc -----END PGP SIGNATURE-----
On Sun, 17 Oct 2004 18:13:38 +0200 Michael Menkhoff <mmenkhoff@gmx.net> wrote:> > Hash: SHA1 > > > Michael Menkhoff wrote: > > >> Per example I could runnning a transparent ftp - proxy on the squid > > machine. Here will be the same problem, is''nt it ? > >> > > > I don''t know if FTP will work transparently or not -- does the Squid > > documentation say that it will work?Just on an aside, I have run across transparent proxies specifically for FTP. Never tried one though. Also, I would assume squid would do FTP transparent somehow since it does FTP non-transparent. But then, it also does HTTPS non-transparent....... Mark II -- END ----------------------------------- TechieM2 (Mark D. Montgomery II) https://techiem2.no-ip.com techiem2@techiem2.net Isaiah 40:28-31 ----------------------------------- Nobody ever died from oven crude poisoning. -----------------------------------
Hi Tom, Hello Michael, maybe this can help: "Note that this document focuses only on HTTP proxing. I get many emails asking about transparent FTP proxying. Squid can''t do it. Now, allegedly a program called Frox can. I have not tried this myself, so I cannot say how well it works. You can find it at http://www.hollo32.fsnet.co.uk/frox/. " Taken from http://www.faqs.org/docs/Linux-mini/TransparentProxy.html Alex ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Michael Menkhoff" <mmenkhoff@gmx.net>; "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Sunday, October 17, 2004 6:44 PM Subject: Re: [Shorewall-users] Transparent Squid in DMZ> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael Menkhoff wrote: > >> >> it looks like so.... >> >> Squid runs as transparent proxy.If I make in browser entries, only the > network adresses, not the ports, all traffic, also FTP, runs over the > squid. It is''nt the question, if the transparent proxy named squid or > other software. >> >> If I go the direct way via network adress in browser, the way through > squid is correctly. I can look it in browser window, but if there are no > entries in browser, it should also go. >> >> Sorry Tom, if I not really so good as you with iptables and such stuff. > > Can anyone on the list understand what Michael is saying/asking? I > can''t... > > Also, does anyone have any experience with Squid and Transparent > proxying of FTP? I really don''t want to spend my Sunday playing with > Squid.... > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBcqFaO/MAbZfjDLIRAtZfAJ0ZyLYJKh5ebH5A62wKswcxze9a7gCeJnFN > 6Kbvyf1RHpkolvQNRjGon1c> =4Vnc > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Even a better link, official Squid dokumentation: http://squid.visolve.com/squid/trans_caching.htm Take a look at the IP-Masquerading section. FTP / SSL in transparent mode DOESN´T work HTH, Alex ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Michael Menkhoff" <mmenkhoff@gmx.net>; "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Sunday, October 17, 2004 6:44 PM Subject: Re: [Shorewall-users] Transparent Squid in DMZ> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael Menkhoff wrote: > >> >> it looks like so.... >> >> Squid runs as transparent proxy.If I make in browser entries, only the > network adresses, not the ports, all traffic, also FTP, runs over the > squid. It is''nt the question, if the transparent proxy named squid or > other software. >> >> If I go the direct way via network adress in browser, the way through > squid is correctly. I can look it in browser window, but if there are no > entries in browser, it should also go. >> >> Sorry Tom, if I not really so good as you with iptables and such stuff. > > Can anyone on the list understand what Michael is saying/asking? I > can''t... > > Also, does anyone have any experience with Squid and Transparent > proxying of FTP? I really don''t want to spend my Sunday playing with > Squid.... > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBcqFaO/MAbZfjDLIRAtZfAJ0ZyLYJKh5ebH5A62wKswcxze9a7gCeJnFN > 6Kbvyf1RHpkolvQNRjGon1c> =4Vnc > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander Wilms wrote:> maybe this can help: > > "Note that this document focuses only on HTTP proxing. I get many emails > asking about transparent FTP proxying. Squid can''t do it.Thanks, Alex! I suspected that this was the case... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBcqjAO/MAbZfjDLIRAjHwAJ402mFE6tBMSWWHJ1V+mH5b1hDXSgCgllrl LBae5wA//jUru06M+VOEjvQ=Dvel -----END PGP SIGNATURE-----
I really don''t want to spend my Sunday playing with> Squid....> - -TomThx for helping. :-( I also really don''t want to suspend my Sunday playing with squid. Michael
> Date: Mon, 18 Oct 2004 08:32:16 +0200 > From: Michael Menkhoff <mmenkhoff@gmx.net> > Subject: Re: [Shorewall-users] Transparent Squid inDMZ> >> I really don''t want to spend my Sunday playing with >> Squid.... > >> - -Tom > > Thx for helping. :-( > I also really don''t want to suspend my Sundayplaying > with squid.> > MichaelMichael, it is preferable to be patient and to better explain what you''re trying to do. The fact is that this mailing list is Shorewall-specific. Obviously, your query is related to iptables and shorewall but you can''t expect everyone *HERE* to be "squid-aware". So please try to get the most out of BOTH squid AND shorewall mailing lists. Regards. __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail