> Hi!
>
> I'm in the process of setting up a leased line/static IP internet connection
> with the option of a DMZ and a second firewall.
>
> To simplify the firewalls, I'm thinking about moving the http proxy (squid)
> from the firewall machine to a machine behind the firewall.
>
> Are there any additional security risks with the proxy on the intranet?
>
> Thanks!
>
> - Christian
>
I think the opposite is true. I do this for a reverse proxy,
squid in accelerator mode to serve 3 different http boxes.
# Send incoming port 80 to Rproxy. However, we have to allow an
# incoming onto port 80, $IFINET = internet interface, $RPROXY =
squid box.
iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -i
$IFINET \
-j DNAT --to-destination $RPROXY
iptables -A FORWARD -p tcp --dport $HTTP_PORT -d $RPROXY -j
ACCEPT
The less that's available on the firewall the better, then you
can't get burnt by code vulnerabilities. Like the squid bug
for accelerator mode last month. :)
Cheers,
--
Support Intellectual Property. | Lance Levsen
Surrender yours to Microsoft. | Systems
- Ed Craig | PWGroup - S'toon.
