On fre, 2008-10-10 at 00:19 +0200, Dalibor Dukic wrote:
> I have transparent SQUID proxy with L2/L3 switch redirecting HTTP
> traffic to proxy through GRE tunnel. Yesterday, I've noticed that SQUID
> box is sending strange packets (TCP RST) to destination web server in
> order to terminate connection. The problem is because these packets have
> source address from client address space (A.B.169.0/24). Since I'm not
> using TPROXY mechanism I would not expect any packet originating from
> squid box with source address from client range.
>
> I was doing packet capture on physical interface and GRE tunnel
> interface. I captured these strange packets on physical interface and in
> the same time in GRE tunnel also.
It's not from Squid, these packets are from the client, and because the
proxy server no longer knows about the connection the packet gets
forwarded.
You can avoid this if you disable ip forwarding on the proxy server, bu
you then also loose the ability to bypass interception at the proxy,
requiring any bypass rules to be in the router acl.
Regards
Henrik
This archive was generated by hypermail 2.2.0 : Fri Oct 10 2008 - 12:00:02 MDT