Time-out on redirection?

Peter Frischknecht peter@empoweringsolutions.com
Tue, 27 Jun 2000 09:19:14 -0400 

Your idea is good.
However, there is another factor to consider: resources.

I could have a Linux router/netfilter box with just a floppy disk and 8 megs
RAM.  It becomes very easy to deploy and maintain.

Squid's resources are considerably higher.  

Again, I like your idea, I actually started working with Squid first.  
There are several other issues with Squid besides being resource hungry:
- While in transparent proxy mode, authentication does not work. (as
documented)
- To work in regular proxy mode, browsers would have to be configured
manually if the automatic detection did not work.
- Proxy is not the answer for every protocol... much the opposite, proxy is
best only for HTTP.  Real audio, ICQ, Dialpad...  none of these applications
benefit from a proxy setup.

The problem is also a tad more complicated than what I first posted.  There
are several sites that will need such setup, and authentication has to be
done centrally.  I used XMLRPC to provide feedback to the original router in
order to allow passage after a successful authentication.

I really think that the solution with Netfilter is good.  It is very fast,
transparent to the end user, and very powerful.  I can send user A through a
transparent proxy and leave user B alone.  I can allow ALL traffic through
EXCEPT for HTTP till authentication occurs.  I can apply firewall rules on a
per user basis.  In short, I feel like Netfilter will do it.

Here is a description of what is happening in the background.
1. By default, ALL users using TCP and reaching port 80 on any site are
being forced to the Logon page.
2. Once a user has a successful validation (logon), the logon server sends a
message to the router that INSERTS the new rule in to the nat table.  This
new rule may simply "ACCEPT" a packet or it may "REDIRECT" it to a
transparent proxy.
3. The user now can browse the web.  

The user can go to ANY web address almost instantly.  The problem is that
the original site requested is unavailable for about 45 secs.  If I attempt
to go to the original site, I will be sent to the logon page.  If I use the
actual IP address of the original site, it works.

If anybody has ANY clues about this, please enlighten me.

Peter Frischknecht
Empowering Solutions, Inc.
http://www.empoweringsolutions.com
(864)654.6544 x103 Phone
(864)654.0022      Fax