Chris Keladis wrote:
> One thing that is still not clear to me is in the second line of the
> afformentioned rules. Why does it check the, source IP address to
> "pass-thru" requests on port 80, shouldn't it be a -D switch to check based
> ipfwadm -I -a accept -W lo
> ipfwadm -I -a accept -S test-proxy -W eth0
> ipfwadm -I -a accept -D 0/0 80 -P tcp -r 3128 -W eth0
Right.. I didn't notice that -S there.. this line defenitely does not do
what I thought it did, but it is equally useful for terminating loops.
What the line does is to prevent loops if a routing loop should occur or
if Squid addresses itself.
There are some minor differences between using -S or -D here. -S
terminates a wider range of possible loops, but if you have Squid
patched to terminate loops then using -D shows a nice error message in
squid.out if a routing error occurs that causes squid generated traffic
to be redirected to Squid again.
If squid is not patched:
ipfwadm -I -a accept -b -S test-proxy -W eth0
If squid is patched to terminate loops:
ipfwadm -I -a accept -D test-proxy -W eth0
The first rule (-W lo) is redundant in a "default accept" configuration,
and can be removed.
--- Henrik Nordström Sparetime Squid HackerReceived on Wed Aug 12 1998 - 16:33:36 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:30 MST