On Sun, 27 Aug 2000, Shachar Shemesh wrote:
> > maybe you should start thinking then ;) . if a "regular router" = cisco -
> > then, yes, it can do that, and much more (depending on the version of its
> > IOS).
>
> Maybe, but not as explained in your email.
actually, _exactly_ as explained in my email.
> > this will done done with no address translation on the router - it just is
> > told that the 'next hop' towards the target address,
>
> The "target address" is the entire internet. You are referring to the default
> route?
no. i think what i'm refering to falls under the specification of "policy
routing".
> > is the proxy machine.
> > that proxy machine then needs to understand (via normal routing rules)
> > that any packet it received, targeted for port 80 and an IP that does not
> > belogn to the local machine, should be injected into the proxy server's
> > module. that doesn't _have_ to be implemented using NAT (althoguht it
> > _might_ be done this way if it simplifies stuff).
>
> Yes, I agree. I have no problem with inplementing NAT on the proxy machine,
> BUT...
_if_ at all one needs NAT for that... or NAT in _any_ classical sense of
the word (according to your broad definitions, any using of a proxy server
is actually an introduction of NAT, since not the original machine's
addres is being shown in the FROM address of the packet being sent out,
but a different one (that of the proxy).
> You will find that your solution forwards ALL outbound packets to the proxy
> machine. Not just those aimed at port 80.
actually, i won't. i'm talking of something that is actually used and
works as stated. i'm not sure how proficient you are with Cisco's IOS -
you might want to read their documentation before you state that this
cannot be done - because it is already being done. in fact, if one bothers
reading IOS's docs, one can do all sorts of non-standard things with their
routers.
> You are then left with my original
> problem - I don't want to penalise the entire office traffic with an extra hop
> (actually - extra two hops and a routing loop in your solution), just because
> I want to implement a transperant proxy. A much simpler solution for me is to
> block all communication to port 80 outbound, and force everyone to manually
> configure the proxy or they don't get web access.
simpler to whome exactly?
btw, please note that normally in our holy land, access bandwidth used to
a proxy server is MUCH MUCH smaller then the capacity of the LAN on which
this access is performed, so under common israely circumstances, this
waiste of resources is not realy an issue. surely, things are better if
all rowsers aer proeprly configured (less bandwidth waisted, about 1-3
milliseconds saved for each HTTP connection, and less router CPU cycles
are waisted) but sometimes it's easier and cheaper to support transparent
proxying in this way, then to support users with setting up the proxy
properly.
and since i think we're loosing our on-topicness by the minute here, i
think that if you still question Cisco's IOS features, we'll move this
discussion to private email.
guy
"For world domination - press 1,
or dial 0, and please hold, for the creator." -- nob o. dy
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
