Hello all, I''m reading the nice documentation about shorewall with multi isp. And I wonder about squid (non transparent) and shorewall Can I use on same machine, squid with ldap ident, dansguardian, and shorewall with multi-isp (four or five) ? Perhaps there is a problem because squid mask source IP, shorewall can maintain and load balance sessions for the same source IP ? Thanks Fred ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
El 31/05/12 06:54, FredB escribió:> Hello all, > > I''m reading the nice documentation about shorewall with multi isp. And I wonder about squid (non transparent) and shorewall > Can I use on same machine, squid with ldap ident, dansguardian, and shorewall with multi-isp (four or five) ? Perhaps there is a problem because squid mask source IP, shorewall can maintain and load balance sessions for the same source IP ? > > Thanks Fred > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >Yes, i have squid 3.1.9 with tproxy and Shorewall on the same machine running 3 Internet providers, 2 of them in the same interface, and i have no problems. Regards ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > Yes, i have squid 3.1.9 with tproxy and Shorewall on the same machine > running 3 Internet providers, 2 of them in the same interface, and i > have no problems. > > RegardsThank for the answer but tproxy is a transparent proxy, no ? My question is about full proxy, I found always documentation with transparent mode but I need a listen port Regards Fred ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi All On 06/01/12 09:04, FredB wrote:> >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >> Yes, i have squid 3.1.9 with tproxy and Shorewall on the same machine >> running 3 Internet providers, 2 of them in the same interface, and i >> have no problems. >> >> Regards > > > Thank for the answer but tproxy is a transparent proxy, no ? > My question is about full proxy, I found always documentation with transparent mode but I need a listen portI have a customer with 2 isp connection setup and a normal squid proxy on the firewall itself.One of the customers requirements at this time is to only use the one isp link for web browsing. This link http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual Gives you two examples of what you would need! The second applies to squid on the firewall. If you need to tell squid to use a specific isp then http://www.shorewall.net/MultiISP.html#Applications Is the place to read. There is a little section that tells you what to chnage in the squid.conf file. Works like a wiz for me! I have a script the customer can run to swap what isp squid will use. You really need to read through the docs as it is all there! Cheers Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > I have a customer with 2 isp connection setup and a normal squid > proxy > on the firewall itself.One of the customers requirements at this time > is > to only use the one isp link for web browsing. > > This link > http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual > Gives you two examples of what you would need! The second applies to > squid on the firewall. > > If you need to tell squid to use a specific isp then > http://www.shorewall.net/MultiISP.html#Applications > Is the place to read. There is a little section that tells you what > to > chnage in the squid.conf file. Works like a wiz for me! I have a > script > the customer can run to swap what isp squid will use. > > You really need to read through the docs as it is all there! > > Cheers > > Ang >Hi Angela, Yes I had read this documentation before - Shorewall_Squid_Usage.html - but there is no word about multi ISP, and I only found multi ISP documentation with transparent proxy. So If you had tried with two ISP and it works, good My concern is about the good repartition of connection, did you try with two simultaneous ISP ? There is a good share ? and no break with persistent connections like https ? Thanks for your help ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi Fred! On 06/01/12 11:02, FredB wrote:> Hi Angela, > Yes I had read this documentation before - Shorewall_Squid_Usage.html - but there is no word about multi ISP, and I only found multi ISP documentation with transparent proxy. > So If you had tried with two ISP and it works, good > My concern is about the good repartition of connection, did you try with two simultaneous ISP ? There is a good share ? and no break with persistent connections like https ? > > Thanks for your helpSquid at my customer site only ran in multi isp mode for a short period - a few days! - and I saw no problems. Someone else mentioned good success with a 3 isp connection and only 2 of those being used for squid and they seemed quite happy! Only problem I have ever had with squid to multi links was when the multi links were behind a BigIP box. Https traffic was a no no! BigIP''s needed special tweaks to make it work. The documentation for manual squid and multi isp is all there! There is nothing fancy and anyway. Just let the traffic out really. Maybe Tom could have called the little section "Normal or Authenticated Squid" but Manual is fine with me! The Transparent and TPROXY solutions need special rules. Transparent needs the normal http/https packets redirected to squid''s normal port 3128 and TPROXY uses sort of the same but the "redirection" is done differently! If you are using another server for ldap queries you might need a rule or two. Just depends on how secure you have made shorewall to the LOCAL zone! I hope this helps a bit! Cheers Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/