packets traverse on proxy/firewall

All of lore.kernel.org
 help / color / mirror / Atom feed

* packets traverse on proxy/firewall
@ 2005-01-11  5:37 Askar
  2005-01-11  6:28 ` Rob Sterenborg
  0 siblings, 1 reply; 2+ messages in thread
From: Askar @ 2005-01-11  5:37 UTC (permalink / raw)
  To: netfilter

hello masters im configuring firewal + proxy/cache server "squid" both
on the same machine for our client. I gota few question regarding
traverse of packet in this scenrio
Proxy is transparent (interception)

1) packets (port 80 requests) from client will traverse INPUT chain
not FORWARD chain right?

2) squid will fetch the content on behalf of the clients packet leave
cache/firewall machine via OUTPUT chain right?

3) which chains packets will travers when response coming back from
Internet that is Internet ----> Cache --->Clients

Default policies for INPUT, OUTPUT , FORWAD will be DROP in which
chains i have to do filtering in either case i-e
Clients ----->Firewal/cache-----Internet and 
Internet --->Firewall/cache----->Clients

regards

Askar

-- 
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: packets traverse on proxy/firewall
  2005-01-11  5:37 packets traverse on proxy/firewall Askar
@ 2005-01-11  6:28 ` Rob Sterenborg
  0 siblings, 0 replies; 2+ messages in thread
From: Rob Sterenborg @ 2005-01-11  6:28 UTC (permalink / raw)
  To: 'netfilter'

netfilter-bounces@lists.netfilter.org wrote:
> hello masters im configuring firewal + proxy/cache server "squid" both
> on the same machine for our client. I gota few question regarding
> traverse of packet in this scenrio
> Proxy is transparent (interception)
> 
> 1) packets (port 80 requests) from client will traverse INPUT chain
> not FORWARD chain right? 

Yes, if :
- you do not allow a NATed connection from the clients (otherwise
clients that are not configured correctly will bypass Squid and use the
FORWARD chain),
- the client is configured to use the proxy or if 
- you redirect http traffic to port 80 to Squid in which case you don't
need to configure the client.

> 2) squid will fetch the content on behalf of the clients packet leave
> cache/firewall machine via OUTPUT chain right?

Yes.

> 3) which chains packets will travers when response coming back from
> Internet that is Internet ----> Cache --->Clients

(Not looking at connection states as you'd normally accept related and
established connections :)

Client asks http page from a webserver : it makes a connection to Squid
(INPUT).
Squid receives the request, decides to fetch the page and makes a
connection to the webserver (OUTPUT).
The webserver sends the requested page back to Squid (INPUT).
Squid sends the page back to the client (OUTPUT).

> Default policies for INPUT, OUTPUT , FORWAD will be DROP in which
> chains i have to do filtering in either case i-e
> Clients ----->Firewal/cache-----Internet and
> Internet --->Firewall/cache----->Clients


Gr,
Rob



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-01-11  6:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-11  5:37 packets traverse on proxy/firewall Askar
2005-01-11  6:28 ` Rob Sterenborg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.