Re: Discriminate client requests from transparent proxy requests?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
how about adjusting TOS values on the packets using those created ACLs ?? That would probably make identification easier/possible on routing layers, your routers included.
you can specify a specific TOS value for your 'normal proxy' port and another one for your 'transparent proxy'.
but you're right, i didnt catch your idea and, maybe, my answer was for a different scenario than yours. But i think that using the transparent port ACL and adjusting TOS on those packets, you could catch that on your routers. 



from http://www.squid-cache.org/Doc/config/tcp_outgoing_tos/

    Allows you to select a TOS/Diffserv value for packets outgoing
    on the server side, based on an ACL.

    tcp_outgoing_tos ds-field [!]aclname ...

    Example where normal_service_net uses the TOS value 0x00
    and good_service_net uses 0x20

    acl normal_service_net src 10.0.0.0/24
    acl good_service_net src 10.0.1.0/24
    tcp_outgoing_tos 0x00 normal_service_net
    tcp_outgoing_tos 0x20 good_service_net

    TOS/DSCP values really only have local significance - so you should
    know what you're specifying. For more information, see RFC2474,
    RFC2475, and RFC3260.

    The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
    "default" to use whatever default your host has. Note that in
    practice often only multiples of 4 is usable as the two rightmost bits
    have been redefined for use by ECN (RFC 3168 section 23.1).

    Processing proceeds in the order specified, and stops at first fully
    matching line.


Em 19/12/12 16:33, Jack Bates escreveu:
Thank you, but what I want is for our *router* to be able to tell the difference between requests from clients to origin servers (and intercept these) and requests from our transparent proxy to origin servers (and not intercept these). I'm wondering what options there are to do this because our proxy makes "transparent" requests to origin servers, with the same source address as the request from the client.
I think what you're describing instead is how the *proxy* can tell the difference between requests that were intercepted and requests that were explicitly sent to the proxy. 




--


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it



--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux