On Wednesday, 23.03.2005 at 16:51 +0100, martin f krafft wrote: > also sprach Dave Ewart <davee@sungate.co.uk> [2005.03.23.1602 +0100]: > > I don't quite understand why you want to change the *source* address > > too, in this situation. It seems like you trying to SNAT the machines > > interface IP address to 127.0.0.1? Why? > > So I can restrict squid to source IP 127.0.0.1, rather than having > to `http_access allow all`, which is surely not what I want. Ah, that's why. Allow squid to be globally accessed is not a good idea, but you don't need to do that. Why not just set squid to do acl thishost 1.2.3.4/255.255.255.255 (or whatever it's public IP is - I don't have the old message from this thread to check) acl localhost 127.0.0.1/255.255.255.255 http_access allow thishost http_access allow localhost http_access deny all That will let squid listen on its loopback interface and on its normal IP. Tweaking the firewall rules to make traffic appear from the loopback interface doesn't seem like the right solution - you *might* be able to get it to work, but it doesn't sound like the right idea. You might have trouble getting the return traffic to work properly ... given that you have clobbered both source and destination of the outgoing packets. Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature