On Thu, 10 Dec 2009 01:55:48 +0500, "Asim Ahmed @ Folio3" <aahmed@xxxxxxxxxx> wrote: > Hi, > FWIW, what you are talking about is NAT interception, not true transparency. I'm trying to get people to clean up the talk since Squid-3 is now moving towards true 'tproxy' transparency plus NAT interception plus invisible proxy plus anonymous proxy modes. It gets _really_ confusing when many helpful responses come back assuming different particular modes. > I need an expert opinion on best suitable setup for my requirement. I am > running shorewall 4.4 on RHEL 5 for NATTING/FIREWALLING. I've installed > SQUID-3.0STABLE20-1 on that same machine as well. Shorewall is > REDIREC-ing port 80 traffic to squid. Currently Squid was running in > transparent mode until I found that almost all users were having very > frequent breaks in internet. I configured client browsers with > squid-server address as http proxy with port squid was running on. This > worked and internet problem solved. > My question is that is that a common problem with squid running in > transparent mode with shorewall? Not sure. Only a few people have asked here about shorewall + Squid issues in the last few years, the others were all solved by fixing configuration problems. Shorewall is just a very abstracted script wrapper for iptables-restore, so there is no real reason why it should matter. NAT interception has problems all of its own which you may be hitting regardless of shorewall. > When I've configured client browsers with http proxy address, now it is > no more a transparent proxy, is it? Correct. > so should i change it to > non-transparent mode? Yes, you should not have the normal (configred) clients going to the same port as intercepted requests. I'm advising people who may need to retain the "transparent" mode to use a random port for the interception requests. Doing so will prevent regular proxy users from gaining access to the security bypass XSS vulnerabilities in transparent mode. The high random port can be safely firewalled to increase security. Only the firewall doing REDIRECT or DNAT and Squid need to have access to it. > What is the main advantage / drawback of running squid in > transparent/non-transparent mode? The big one is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801 The smaller problems are additional processing of NAT, the regular NAT issues with IP mapping and loss of IP information in transit, doubling DNS load on the network (client does IP lookups, then squid does IP lookups), and older HTTP/1.0 and HTTP/0.9 clients which don't send the Host header being cut off from the Internet. The benefits are that all the client software out there (still a lot) which has no actual proxy support can still work if its only HTTP/1.0 enabled enough to send the Host header correctly. Interception mode should be seen as a last-resort backup to the regular configuration methods; manual configuration, and WPAD/PAC "transparent" auto-configuration (yes, yet another meaning of the word "transparent"). Amos