From 07c579562ecc514a4b7aca0d845037193706a37a Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 4 Apr 2009 14:28:23 +0000
Subject: [PATCH] Explain how to exclude certain hosts from transparent proxy

Signed-off-by: Tom Eastep <teastep@shorewall.net>

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 docs/Shorewall_Squid_Usage.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml
index 3543f3e2a..04b076800 100644
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -179,6 +179,22 @@ ACCEPT    $FW        net      tcp      www</programlisting>
       <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
 #                                                       PORT(S)    DEST
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24</programlisting></para>
+
+      <para>People frequently ask <emphasis>How can I exclude certain internal
+      systems from using the proxy? I want to allow those systems to go
+      directly to the net</emphasis>.</para>
+
+      <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 from
+      the proxy. Your rules would then be:</para>
+
+      <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+#                                                       PORT(S)    DEST
+REDIRECT  loc:!192.168.1.5,192.168.1.33\
+                     3128     tcp      www              -          !206.124.146.177,130.252.100.0/24
+ACCEPT    loc        net      tcp      www</programlisting>
+
+      <para>The second rule may be omitted if your loc-&gt;net policy is
+      ACCEPT.</para>
     </section>
 
     <section id="Local">