Squid is a Proxy, what means it connects to the http servers instead of clients. So there is no need for them (the clients) to call servers directly. Routing and masquerading on the firewall can stay disabled (fine!). As a side effect squid can generate logs for client requests.
firewall installed masquerading the internet to subnet using squid >proxy
This makes no sense to me. Masquerading means to convert client's ip address to firewall external ip for outgoing request and convert back for incoming. Conclusion. When using squid there is no need for routing and asquerading ip addresses for http. The connection works as follows [client:highport]<->[firewall:proxyport<->firewall:highport]<-->[server:80] For email you need routing and masquerading for tcp 25[smtp] and 110[pop] (no tls is involved ) as long as you don't have a mailproxy, too. Check this firewall option snip ---- ## Type: string # # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? # Only these networks will be allowed access and will be masqueraded! # # Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A target network, protocol and service is appended by a comma to # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # Set this variable to "0/0" to allow unrestricted access to the internet. # FW_MASQ_NETS="" ---- snap Example FW_MASQ_NETS="10.0.1.0/24,tcp,25 10.0.1.0/24,tcp,110" Where 10.0.1.0/24 is your subnet! Sure that helps The polarizer polarizers at its best http://www.codixx.de/polarizer.html