Quote:
Originally Posted by khamesi
HI
Can you connect to outside computer from your fw server in ssh port ?
|
Hi there,
I later found out what the problem is. I have to masq my intranet (well, actually just a notebook connected to the desktop via another ethernet card) on the outgoing interface (the ppp on my case since I use ADSL). I previously masq-ed on the ethernet interface connected to ADSL modem. To be honest, even though the problem has been solved, I yet had no idea why masq-ing the wrong interface (or not masq-ing at all) would break the SSL connection instead of the whole outgoing one for the subnet.
So now basically the whole setup, subnet with dns and transparent proxy support, is like this:
one desktop with two ethernet cards, eth0 connecting to adsl modem and eth1 connecting to a subnet whose setup is 192.168.0.x/255.255.255.0 (the desktop has ip 192.168.0.1 bound to eth1 serving as dhcp/proxy server). The ADSL interface is ppp0. the desktop runs shorewall, squid, and dhcp server.
for squid, I runs in transparent proxy mode, and set to listen to port 3128, and with a local network acl declaration:
http_port 3128
acl mynetwork src 192.168.0.12
http_access allow mynetwork
for shorewall, simply forward requests from 80 to 3128, then as what I mentioned before, in masq file, masq the subnet 192.168.0.255 on ppp0
ppp0 192.168.0.0/255.255.255.0
then done! ssh ok, https works, and secure imap is back.
HOWEVER, here are the questions:
1. Why not-masq-ing for the subnet (or masq-ing on the wrong outgoing interface) would PARTIALLY break the outgoing connection, i.e. the ssl one, for the subnet? Is it because the ssl connection requires some sort of active connections btwn the server and the client, therefore without correct masq the server couldn't communicate with the client?
2. While I was searching around like a nut for the HOWTO about my problem, I simply ran through numerous docs saying: No, There is no way by transparent proxy you can make ssl-connection work (actually it seemed to be true because the subnet can have the ssl access if explicit proxy server is set), otherwise the man-in-middle attack would come into play. Of course I also got some sort of vague mention in squid doc, saying that it could proxy ssl connections. Now, based on what I get here, what conclusion could I get? Can or Can't ssl connection be implemented on transparent proxy?
Hope the troublesome experience could help somebody.