Dear all,
I have 2 interface cards on my Proxy server.
Traffic from internal will redirect out to the external interface.
Anyone knows how to identify which session for the incoming traffic is
mapped to the outgoing session on proxy. My incoming
traffic is PAT (Port Address Translated), the access.log is not helpful as
it only provide the "same" source IP address (without the ports).
I couldn't tell from "netstat -na" command either, as it just give me a list
of address and port established.
Thank you,
Andy
----- Original Message -----
From: "Andy Low" <andy@bgp5.net>
To: "Alberto Sierra" <albertux@gmail.com>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, December 08, 2004 9:30 AM
Subject: [squid-users] Tough: NAT port translation
> Hi Alberto,
>
> Thank you for your suggestion.
>
> For you information, I have 2 different Internet connections. One for
> surfing and the second dedicated is for other puposes (like SMTP, FTP
etc).
>
> The surfing link is connected via Squid while the dedicated Internet link
is
> connected through the FW other interface (the default gateway is
configured
> via this link). If I were to use what you proposed, I will have difficulty
> redirecting the traffic properly at the FW, the FW cannot perform source
> routing and cannot redirect which traffic for surfing (HTTP/ HTTPS) or
which
> traffic for (FTP, SMTP).
>
> By placing Squid in the external side of FW, I can redirect traffic to
Squid
> based on the user's web client proxy settings. I also can redirect traffic
> to the other link for application which cannot support proxy (as well
using
> the dedicated link).
>
> Back to my previous question, anyone knows how to identify which session
for
> the incoming traffic is mapped to the outgoing session on proxy. My
incoming
> traffic is PAT (Port Address Translated), the access.log is not helpful as
> it only provide the "same" source IP address (without the ports).
>
> Thanks,
>
> Andy
>
> ----- Original Message -----
> From: "Alberto Sierra" <albertux@gmail.com>
> To: "Andy Low" <andy@bgp5.net>
> Sent: Wednesday, December 08, 2004 1:29 AM
> Subject: Re: [squid-users] NAT port translation
>
>
> > hi andy, im pretty confused with your setup, because is pretty hard to
> > identify PAT translation slots even from the firewall itself, but,
> > what i'd like to ask you, from a security point of view, and for your
> > mental health too, why dont you move the squid to inside the "trusted"
> > perimeter and have the requests from the squid to go patted or natted
> > through the firewall?? then you'd kill two birds with one shot, you're
> > protecting your squid cache, plus keeping track of what your users do.
> > like this:
> >
> > localnet <---> squid <---> firewall <---> internet
> >
> > Alberto Sierra
> >
> >
> > On Mon, 6 Dec 2004 22:04:02 +0800, Andy Low <andy@bgp5.net> wrote:
> > > Hi,
> > >
> > > I have the following setup:
> > >
> > > Users <---> FW <---> Squid <---> Internet
> > >
> > > 1) The firewal (FW) interface, facing Squid is configure with PAT.
> > > 2) Squid is listening at port 8080.
> > >
> > > When I execute "netstat -na" on squid, I see a lot of session
> established
> > > from FW to Squid and Squid to Internet.
> > >
> > > May I know to identify the actual session from FW to Internet. Take
note
> my
> > > FW is doing a PAT.
> > >
> > > This is what appear in "netstat -na":
> > >
> > > Squid IP address facing FW -- 10.10.10.2
> > > FW IP address facing squid -- 10.10.10.1
> > > Squid External IP address facing Internet -- 10.10.20.1
> > > Internet IP address are public IPs
> > >
> > > Local Address -- Foreign Address
> > > 10.10.10.2:8080 -- 10.10.10.1:12312
> > > 10.10.10.2:8080 -- 10.10.10.1:22341
> > > 10.10.10.2:8080 -- 10.10.10.1:33810
> > > 10.10.10.2:8080 -- 10.10.10.1:33879
> > > ...
> > > 10.10.20.1:22091 -- InternetIP1:12312
> > > 10.10.20.1:22092 -- InternetIP2:22341
> > > 10.10.20.1:22093 -- InternetIP3:33810
> > > 10.10.20.1:22109 -- InternetIP4:33879
> > > ..
> > >
> > > My access.log access logs are not help, all I can is only the FW IP
> address
> > > (10.10.10.1) (PAT).
> > > 1231231231.004 5678 10.10.10.1 TCP_MISS ......
> > > 1231231567.020 23 10.10.10.1 TCP_MISS ......
> > > 1231231688.027 69 10.10.10.1 TCP_MISS ......
> > > 1231231899.004 430 10.10.10.1 TCP_MISS ......
> > >
> > > Is there a way to find out how Squid translate internally, meaning
> session
> > > from "10.10.10.1:22341" is the same session for "10.10.20.1:22092".
> > >
> > > Thanks,
> > >
> > > Andy
> > >
> > >
>
Received on Wed Dec 08 2004 - 20:59:29 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST