Search squid archive

Re: Re: Squid + DansGuardian + Bridging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 20/09/2013 3:55 p.m., psd17j-jacob wrote:

Where is this bridge sitting in the network level?
please share your situation in more details.

Sure! So we have the NOC MDF > proxy (in through eth0) //bridge (out eth1)

router > ComCast.


Amos Jeffries-2 wrote

The proxy operates on top of the *routing* component of the kernel. As
you can note from the ebtables rules you have to bump the traffic out of
the bridge into routing systems for iptables rules to send to the proxy.
You may as well setup the box as a normal router (with VLAN routing) if
that is easier than to implement the bridging. With the correct ebtables
rules shifting traffic to routing the presence or absence of bridging
should be irrelevant to the proxy operation.

Another thing adding complexity is your usage of DansGuardian. It is a
basic filtering proxy, not a fully-featured proxy like Squid. So things
like the iptables MARK and QoS TOS/DSCP values are not even passed
through it for Squid to make use of. This is simpler to fix since Squid
can do anything DG can (just differently) you can drop the DG component
entirely and just use Squid access controls.

Amos

Hi Amos,

Thanks for your reply. I appreciate it. Basically I was simply following a
few guides I had found online on how to set this up. My understanding was
that you had to use vLAN tagging (the IP of br0 and br0.9 are on vLAN 9) but
from what you are saying, I gather we can just use br0?

The usage of DG was simply what was addressed in the guides I followed, and
it seemed like a simple enough interface (via webmin) for the person who
administers the deny/allow lists to access (he's 73 years old). If you have
other suggestions please do let me know.

Are there any obvious flaws you see with the way things are routed and
brouted? Am I missing something?
I think so. The TPROXY guide contains the best ebtables rules for running Squid on a bridge (I'm not sure why this is missing from the other interception config examples - should be in all of them). You seem to be missing the DROP portion of the rules, and are also trying to pull IPv6 port details out of IPv4 packets. You need ebtables rules to handle IPv4 packets separately from IPv6 packets, with the matching version port details located specially in each rule. 

http://wiki.squid-cache.org/Features/Tproxy4#ebtables_on_a_Bridging_device

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux