[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rewriting source and destination of local packets

On Wednesday, 23.03.2005 at 16:51 +0100, martin f krafft wrote:

> also sprach Dave Ewart <davee@sungate.co.uk> [2005.03.23.1602 +0100]:
> > I don't quite understand why you want to change the *source* address
> > too, in this situation.  It seems like you trying to SNAT the machines
> > interface IP address to  Why?
> So I can restrict squid to source IP, rather than having
> to `http_access allow all`, which is surely not what I want.

Ah, that's why.  Allow squid to be globally accessed is not a good idea,
but you don't need to do that.  Why not just set squid to do

acl thishost (or whatever it's public IP is - I don't have the
old message from this thread to check)
acl localhost

http_access allow thishost
http_access allow localhost
http_access deny all

That will let squid listen on its loopback interface and on its normal

Tweaking the firewall rules to make traffic appear from the loopback
interface doesn't seem like the right solution - you *might* be able to
get it to work, but it doesn't sound like the right idea.  You might have
trouble getting the return traffic to work properly ... given that you
have clobbered both source and destination of the outgoing packets.

Please don't CC me on list messages!
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to: