On Monday 12 July 2004 4:12 pm, Gavin Hamill wrote:
> On Monday 12 July 2004 14:38, Antony Stone wrote:
> > Yes. Just use DNAT, and make sure the Squid box is not on the same
> > subnet as the clients (so that it has to send the replies back through
> > the firewall).
>
> Ah OK, I was hoping to avoid that since the machine that runs Squid is also
> an NFS server and various other things...
How about *configuring* the clients so they use the proxy "properly" instead
of doing transparent redirection? Then you can keep the Squid box on the
same subnet as the clients, and still block people trying to do TCP port 80
straight through the firewall (only one source IP is allowed - the Squid
box). You also get the benefit that they can do FTP over HTTP proxying too,
which you can't do transparently...
Regards,
Antony.
--
The truth is rarely pure, and never simple.
- Oscar Wilde
Please reply to the list;
please don't CC me.
