Andrei B. wrote:
> I don't use policy routing, and I have 3 default routes:
> dest 0.0.0.0 gw gw1 eth0
> dest 0.0.0.0 gw gw2 eth1
>
> things like traceroute and ping goes through eth0.
> an apache on eth1's ip is goes through eth1 to gw1.
> so far I had no problems with other programs.
Are you sure apache is going out on eth1? Normally it would go out on
eth0 with the IP of eth1, but return packets coming in on eth1..
> If isp1 is down, squid won't work. Other programs will go through the
> other ISP as the kernel will use the next default route.
True if you use a direct cable or a routing daemon.
> With source policy routing this will keep squid going, but I don't want
> to.
I don't see how policy routing changes matters other than making sure
the correct packets are send out on the correct ISP.
> Another idea for which I'd like a second opinion:
>
> acl localip src 10.1.1.0/24
> acl anywhere dst 0.0.0.0/0
> acl localdst dst 10.1.1.0/24
> acl internal myip internalip
> acl external myip externalip_isp1
> acl external2 myip externalip_isp2
>
> http_access allow localip anywhere external
> http_access allow localip localdst internal
> http_access deny external2
Not sure what you are actually trying to acheive here..
I would probably use something like
http_port internalip:3128
http_access allow localip
but from the above rules it seem you want people to connect to different
proxy addresses depending if they are looking for internal or external
resources (external IP of proxy if looking for external resources,
internal IP of proxy if looking for internal resources). Sounds like a
very odd thing to be doing.
-- Henrik Nordstrom Squid HackerReceived on Fri Apr 13 2001 - 05:29:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:18 MST