From 5456c9fba38410a4fccf7d35076a229f666cf583 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 May 2010 08:26:22 -0700 Subject: [PATCH] Add instructions for proxying firewall-local connections Signed-off-by: Tom Eastep --- docs/Shorewall_Squid_Usage.xml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index 59573211f..850fcd9a0 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -197,6 +197,29 @@ ACCEPT loc net tcp www The last rule may be omitted if your loc->net policy is ACCEPT. + + In some cases (when running an LTSP server on the Shorewall + system), you might want to transparently proxy web connections that + originate on the firewall itself. This requires care to ensure that + Squid's own web connections are not proxied. + + First, determine the user id that Squid is running under: + + gateway:/etc/shorewall# ps aux | fgrep -i squid | fgrep -v fgrep +root 10085 0.0 0.0 23864 700 ? Ss Apr22 0:00 /usr/sbin/squid -D -YC +proxy 10088 0.0 0.9 40512 19192 ? S Apr22 10:58 (squid) -D -YC +gateway:/etc/shorewall# + + In this case, the proxy process (squid) is running under the proxy user Id. We add these rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/ +# PORT(S) DEST LIMIT GROUP +ACCEPT $FW net tcp www +REDIRECT $FW 3128 tcp www - - - !proxy