Re: transparent squid on Solaris+cisco.

From: CyberPsychotic <mlists@dont-contact.us>
Date: Sat, 28 Nov 1998 19:05:35 +0500 (KGT)

~
~ I also had the same problem on a Sun SS1000 Solaris 2.4 machine.
~
~ One thing I did that I haven't seen yet is that I went ahead and installed
~ tproxyd (with ip_filter support) and tried that. I got a lot of messages
~ in syslog about 'ioctl(SIOCGNATL) : no such process' (best approx. from
~ memory). I then installed tproxyd on a linux machine, redirecting to the
~ exact same squid setup, and it worked like a charm. My conclusion is that
~ ip_filters (this was version 3.2.9) has problems.

Yes. I would like to thank all the people on the list, and especially
Anthony Ryan <A.Ryan@Bradford.ac.uk> for directing me to the right
solution.

Things looks like TCP stack in ipfilter in version 3.2.9 and earlier is
broken in some way, which causes some RST, and FIN( not quite sure),
being shot, which are interpreted as end of connection or connection reset
by peer at the client site. I guess this note should should go to FAQ and
save alot of people from headaches like this.

 Another thing about lo/eth0 is also correct. I was never able to use
lo addresses in NAT (RST packets were arriving for every SYN, so far I
watched with snoop). so You should use ethernet addresses in nat instead
of lo. I was thinking that

rdr ETH.IP.AD.DR port 80 -> ETH.IP.AD.DR port 80 tcp

 should generate a loop.. well, it doesn't. probably packet is not checked
againist NAT table entries (it passed by?) anymore.
 

~ as before (although sometimes it would work fine). Pretty much the same
~ as the original poster describes below.

for me it never worked.:) even when I left lo in the rule above, and used
Ethernet for proxy, I was not able to connect to my http server.

thanks again to everyone.

--
fygrave@tigerteam.net		http://www.kalug.lug.net
Received on Sat Nov 28 1998 - 07:03:38 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:23 MST