On 13/06/17 19:34, Matus UHLAR - fantomas wrote:
On 13/06/17 13:48, David Kewley wrote:
I want my clients to explicitly address squid as a proxy (not use
tproxy), but have squid spoof the source addresses in the forwarded
connection, so that further hops know the original source address
from the IPv4 headers.
I could find no indication that anyone else has done this, and when
I tried various things, I could not get it working.
Is this possible today? If not, is it worth considering as a future
feature? Or am I overlooking a reason that this cannot work even in
theory?
On 13.06.17 16:50, Amos Jeffries wrote:
It is not possible.
No, it is a terrible idea.
It is prohibited by the OS kernel as part of the anti-malware
protections, in this case to prevent the local machine being used to
attack its surrounding network nodes. And by Squid to make it harder
to use Squid as viral payload and damage the brand reputation.
For me to fully understand (I was curious about this some time ago),
it is
allowed to fake clients' IPs when intercepting their connections, but not
when connections are done to proxy server directly?
Yes.
What's the difference that makes it more terrible than spoofing IPs of
intercepted connections?
If you take a close look at the packets you should see the incoming ones
as (client-IP:server-IP:server-port) and outgoing from Squid has
identical (client-IP:server-IP:server-port). Only the src-port differs.
- As far as the rest of the network is concerned Squid is acting as if
it were a TCP router. The kernel is also configured as a router in order
to do TPROXY, so the whole environment except for the proxy and a few
rules in the networking stack is setup for routing.
By comparison, without TPROXY the incoming packets have
(client-IP:client-port:squid-IP:squid-port) and the server connection
packets would have (client-IP:random-port:server-IP:server-port). The
machine is setup as a server host, not a router. Which is where Ingress
and Egress Filtering both stomp on it hard for using other machines IPs.
PS. if you spoof (with or without TPROXY) and have not implemented
BCP-38 ingress filtering (AND its equivalent egress filtering) on your
network then you are part of the DoS attack system, guaranteed, whether
you know it or not. Very likely you will _not_ be aware of it because
all the information you can log or gather from TCP is spoofed (duh!) and
appears to be your own innocent clients doing things that clients tend
to do (NTP lookups? DNS lookups? sending email? using HTTP? sure no harm
there ... unless it wasn't them).
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users