On 13/06/17 13:48, David Kewley wrote:
I want my clients to explicitly address squid as a proxy (not use
tproxy), but have squid spoof the source addresses in the forwarded
connection, so that further hops know the original source address
from the IPv4 headers.
I could find no indication that anyone else has done this, and when
I tried various things, I could not get it working.
Is this possible today? If not, is it worth considering as a future
feature? Or am I overlooking a reason that this cannot work even in
theory?
On 13.06.17 16:50, Amos Jeffries wrote:
It is not possible.
No, it is a terrible idea.
It is prohibited by the OS kernel as part of the anti-malware
protections, in this case to prevent the local machine being used to
attack its surrounding network nodes. And by Squid to make it harder
to use Squid as viral payload and damage the brand reputation.
For me to fully understand (I was curious about this some time ago), it is
allowed to fake clients' IPs when intercepting their connections, but not
when connections are done to proxy server directly?
What's the difference that makes it more terrible than spoofing IPs of
intercepted connections?
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
