I am using squid and dansguardian on the same FreeBSD 5.4 server. Dansguardian -> Squid -> Internet Squid is configured with x-forwarded-for patch and the acl work fine as I can see in the Delay pools. However, this is not the case with tcp_outgoing_address squid does not follow the X_Forwarded_For. If anyone is interested I was testing the performance of a PIII with 550MHz, 128MB ram, 40 GB IDE-HDD. A friend of mine who is in the ISP business wanted to see how much clients we are able to support with such a heavly-loaded server. The server performed very well with FreeBSD and Squid then we added Dansguardian with little los in performance. Squid was tested with 100+ clients (IPs) with delay pools then we switched to intercepting mode and Dansguardian did well in intercepting the request while squid's delay pools managed the bandwidth. Then my friend had this crazy idea about making our proxy "invisible" to the inside/outside world. So after following Henrik Nordstrom's advice I configured squid to deny use tcp_outgoing_address assigned to private IP's then we nated those to the 100+ client IP's. After configuring the server with a virtual interface (using netgraph on FreeBSD) and adding 100+ aliases (the private IPs to be NATed to the REAL ones), I restarted the server. Dansguardian intercepted the requests but IPNAT showed nothing. I stopped Dansguardian and switched squid to intercepting mode and everything was fine. Squid used the private IPs as tcp_outgoing_addresses and IPNAT nated them back to REAL IPs. Dansguardian has nothing to do with the problem as I mentioned earlier since with it running in front of squid the delay pools follow the X-Forwarded-For quite well. PS: I wish my English teacher would see this post and admit that I deserved more than a 'C'. Oh well High School is 12 years behind me now. -- Kind regards Abu Khaled
