On my firewall (192.168.1.1) I have a non-transparent Squid (port 8080) and an Apache (port 80). I would like local (loc) www requests for local Apache content to not go through squid, but come from Apache direct. What I think I need to achieve this is a magical redirection on the firewall from 8080 (loc) to port 80, so that the request to Squid can actually be received by Apache. My first attempt at a rule to achieve this follows: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP REDIRECT loc 80 tcp - 8080 192.168.1.1 It doesn''t work. Hmmm. Despite Shorewall being one of the better documented packages I''ve come across I can''t work this one out. Any solutions? Regards Fog_Watch. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ian wrote:> On my firewall (192.168.1.1) I have a non-transparent Squid (port 8080) and an Apache (port 80). I would like local (loc) www requests for local Apache content to not go through squid, but come from Apache direct. > > What I think I need to achieve this is a magical redirection on the firewall from 8080 (loc) to port 80, so that the request to Squid can actually be received by Apache. My first attempt at a rule to achieve this follows: > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ > # PORT PORT(S) DEST LIMIT GROUP > REDIRECT loc 80 tcp - 8080 192.168.1.1 > > It doesn''t work.You have the 8080 in the wrong column. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ >> # PORT PORT(S) DEST LIMIT GROUP >> REDIRECT loc 80 tcp - 8080 192.168.1.1 >> >> It doesn''t work. > >You have the 8080 in the wrong column. > >-TomTom, thanks for the reply. Please allow me to have another go at this. So I want to be able to point my browser at my proxy ($FW, port 8080) to get Internet, but still be able to get local http ($FW, port 80). I tried this in my rules: REDIRECT loc 80 tcp 8080 - 192.168.1.1 This redirects all traffic from 8080 to 80, not just the traffic that whose destination is 192.168.1.1. That is, all Internet traffic gets redirected to port 80 on the firewall. I can''t see anything in REDIRECT that can be used to redirect local (loc) traffic, but not Internet (net) traffic. Should I be using REDIRECT, or something different/completely different? Regards Fog_Watch. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ian wrote:> > Please allow me to have another go at this. > > So I want to be able to point my browser at my proxy ($FW, port 8080) > to get Internet, but still be able to get local http ($FW, port 80). > I tried this in my rules:> REDIRECT loc 80 tcp 8080 - 192.168.1.1> This redirects all traffic from 8080 to 80, not just the traffic that > whose destination is 192.168.1.1. That is, all Internet traffic gets > redirected to port 80 on the firewallOf course -- the firewall is a non-transparent proxy so all traffic to port 8080 is addressed to the firewall (192.168.1.1)> I can''t see anything in REDIRECT that can be used to redirect local > (loc) traffic, but not Internet (net) traffic. Should I be using > REDIRECT, or something different/completely different?A packet filter (such as Netfilter/Shorewall) cannot do what you are asking. The browsers themselves need to be configured to bypass the proxy when accessing your local web server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642