Enhancement #2967

Updated by Giacomo Sanchietti almost 5 years ago

Current implementation of transparent proxy is based on TPROXY.
TPROXY does not modify the IP header so the firewall can be use in bridged mode to scan all passing traffic without modifying any network configuration in the target environment.
But this implementation has some drawbacks:
* it can't correctly handle squidGuard redirect directives (#2958)
* it's hard to create transparent bypass based on source and destination (#2503)

The REDIRECT DNAT implementation will largely simplify firewall configuration and it will address above problems.
Thus, this implementation can't be used in bridged mode, but this scenario is not supported from the underlying system for now.

Back