From: Brian M. Diehl <bdiehl@a1...> - 2004-09-24 18:07:59
> squid uses port 3128, but your policy rules permit port 8080
I updated the rules as I saw this right after I posted. However things
still are not working "correctly"
I am reasonably sure that the firewall is setup correctly. I believe it
is now a problem with squid itself.
The proxy machine is now atleast seeing the packets.
Brian M. Diehl wrote:
>>squid uses port 3128, but your policy rules permit port 8080
>I updated the rules as I saw this right after I posted. However things
>still are not working "correctly"
>I am reasonably sure that the firewall is setup correctly. I believe it
>is now a problem with squid itself.
>The proxy machine is now atleast seeing the packets.
I would run tcpdump on the proxy machine to see if it answers and with
what. Sometimes squid ACLs block requests. Another thing is a routing on
the proxy machine, its default route should point at the firewall.
One more thing, and I think this is it, is that you do not translate
source address of packets in the NAT rule that you quoted. This means
the client on 192.168.0.0 sends request to the server out on the
internet with address N.N.N.N, the firewall redirects it to the squid
box, which sees the TCP SYN packet coming from the client's real IP on
192.168.0.0. Squid needs to establish TCP session with the client so it
replies with TCP SYN-ACK back to it. The client, however, expect SYN-ACK
packet from the server it was talking to, which has address N.N.N.N, so
the client drops SYN-ACK coming from squid.
You need to modify the NAT rule to translate source address as well as
destination. This will make squid answer back to the firewall, which
will translate addresses and send packet back to the client. The NAT
rule will look like this:
OSrc = 192.168.0.0/16
ODst = !192.168.0.0/16
OSrv = 80
TSrc = Firewall's internal interface object or its address object
TDst = 192.168.0.13
TSrv = 3128 (Proxy Port) - "squid" service object from the "standard"
This is actually explained in the Users Guide in the chapter "NAT back
to the same subnet"