Hi Sorry missing something here. I thought this was a mikrotek rtr , presumably acting as a default gateway for the local lan to the internet. it has a DNAT rule to capture all internet traffic that is port 80 (and presumably at some point in time port 443) and it DNATS it to the SQUID box. and there needs to be a special rule on the DGW to allow squid access out to the internet with out resending it back to the squid and creating a loop. from memory thats how I used to do this. unless the DGW is large enough to run squid, then DNAT to the local box and onto squid. Why would there be a DoS for SQUID on another box, the only resources I can think of is the NAT table, maybe conntrack Alex On 26 June 2015 at 22:49, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 27/06/2015 12:14 a.m., Alex Samad wrote: >> aren't squid and nat box different ? that was my presumption.. >> > > Best not to. > > The dst-IP:port on the TCP packets entering the Squid machine is where > Squid will send the outgoing server requests. If that dst-IP is the IP > of the Squid machine itself you get into big DoS-level trouble really fast. > > Amos > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users