[squid-users] source spoofing without tproxy?

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Jun 13 07:34:58 UTC 2017


>On 13/06/17 13:48, David Kewley wrote:
>>I want my clients to explicitly address squid as a proxy (not use 
>>tproxy), but have squid spoof the source addresses in the forwarded 
>>connection, so that further hops know the original source address 
>>from the IPv4 headers.
>>
>>I could find no indication that anyone else has done this, and when 
>>I tried various things, I could not get it working.
>>
>>Is this possible today? If not, is it worth considering as a future 
>>feature? Or am I overlooking a reason that this cannot work even in 
>>theory?

On 13.06.17 16:50, Amos Jeffries wrote:
>It is not possible.
>
>No, it is a terrible idea.
>
>It is prohibited by the OS kernel as part of the anti-malware 
>protections, in this case to prevent the local machine being used to 
>attack its surrounding network nodes. And by Squid to make it harder 
>to use Squid as viral payload and damage the brand reputation.

For me to fully understand (I was curious about this some time ago), it is
allowed to fake clients' IPs when intercepting their connections, but not
when connections are done to proxy server directly?

What's the difference that makes it more terrible than spoofing IPs of
intercepted connections?

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines. 


More information about the squid-users mailing list