Re: [squid-users] WCCP, Squid, and that darn PIX

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 15 Jun 2001 21:27:27 +0200

Tim Wolfe wrote:
>
> I think the one case you missed it what is occuring in this case. Which
> would be where the proxy is on an inside interface of the firewall (but not
> the same inside as the client who is behind a different inside interface.)
> So essentially the firewall sees the same network session (web server ->
> client) originate both from the outside interface (real web server to squid)
> and from the dmz interface (squid to client) which triggers the antispoofing
> rules.

I did not account for DMZ no. The reasoning still applies, except that
things get even more restricted.

Assuming redirection is done outside then you have the following
problems:

* WCCP traffic cannot reach the host in the DMZ unless you opens a big
fat hole from the outside to the DMZ.

* The firewall is likely to complain on spoofing on return traffic to
the client, as the source address is not that of the DMZ, and is not
coming back on the same firewall interface as the traffic was originally
sent.

There are some funny things you can try in this case. It might be
possible to use a second interace on the proxy with a dummy IP (or no IP
at all), and connect this interface on the outside of the firewall. Then
use some routing tricks (involving a static ARP entry on the proxy for
the firewalls external IP) to have return traffic routed back the
correct way while still having a limited firewall protection of the
proxy. However, it is most likely simpler to use two firewalls, or do
the redirection inside of the firewall to a proxy on the inside.

--
Henrik Nordstrom
Squid Hacker
Received on Fri Jun 15 2001 - 13:56:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:46 MST