On Fri, Jan 14, 2005 at 12:10:08PM -0500, Payal Rathod wrote:
> On Fri, Jan 14, 2005 at 10:55:49AM -0500, Jason Opperisano wrote:
> > yeah--the same thing that everyone misses when they try and DNAT
> > onto
> > the same local network:
> >
> > 1) client (192.168.0.100) send TCP SYN to 192.168.0.10 port 3128
> > 2) proxyA (192.168.0.10) DNATs the packet to 192.168.0.11
> > 3) proxyB (192.168.0.11) receives SYN from 192.168.0.100 and replies
> > directly with SYN/ACK
> > 4) client (192.168.0.100) receives SYN/ACK from 192.168.0.11 and drops
> > it, as client never sent a SYN to 192.168.0.11.
> >
> > sound familiar? it feels familiar to me as i type it once again.
>
> Will it help, if I move the second squid proxy to the DMZ in
> 10.10.10.3 ?
yes, because then the traffic routed through the firewall. just out of
curiosity, is 192.168.0.10 your firewall?
-j
--
"I saw weird stuff in that place last night. Weird, strange, sick,
twisted, eerie, godless, evil stuff. And I want in."
--The Simpsons
