NAT to a client
opie at 817west.com
Thu Apr 28 19:38:38 CEST 2005
On Thu, Apr 28, 2005 at 12:21:22PM -0500, Taylor, Grant wrote:
> >the source port of traffic destined to a squid proxy is not 80, it's
> >1024:65535...why do i *constantly* see this in rules sets?
> Does Squid send out requests on behalf of it's clients from port 3128 to
> port 80 and thus have returning traffic from 80 to 3128?
heeeeeeeeeeeeeeell no. squid proxy 101:
1) client:$UNPRIV -> proxy:3128
2) proxy:$UNPRIV -> origin-server:80
where UNPRIV = 1024 - 65535
client connects to squid, squid connects to web server; two separate
unrelated connections (besides the fact that 1 inspires 2). i
understand that the number 3128 falls within the range 1024 - 65535; and
if squid is configured to bind only to the internal interface, you'd
have a 1/64511 chance of seeing a squid server use sport = 3128 and
dport = 80 to fetch content from an origin web server, but it's not
likely enough to deserve a dedicated filter rule, IMHO.
"Peter: Wh-Who are you?
Death: I'm Callista Flockhart. Who do you think I am? I'm Death."
More information about the netfilter