Simon Murcott wrote: >On Thu, 2002-03-07 at 11:06, Josh Frick wrote: > > Thank you. That's what I had suspected. NAT is NAT, right? I'm > trying to build a multi-layered approach. Currenlty it's two Coyote > (IPchains) Firewalls in front of Squid/Socks. This does prevent direct > connections to my clients, which I had assumed was more secure than > otherwise, but I wasn't sure if that was meaningful. My clients and > the Squid/Socks box are not reachable by the gateway. Only the choke, > which will be reconfigured (by way of a crossover-cable) to be > connected only to the Squid/Socks box. I just wanted to know if this > was any better than simply adding a third IPchains box. > >Something to be aware of is that having two firewalls of the same >flavour will not buy you any more security. If a crack/exploit works on >one then it will work on the other. Try replacing one of them with >another OS and firewall solution. > Eventually, I plan on replacing both Coyote boxes with IPtables-capable firewalls. (For statefull inspection). The choke will be Woody, I think, with SNORT, and the gateway will either be floppyfw or Devil Linux or a homebrew busybox. But they're still going to be i386 Linux. Hopefully, I can disable module support in both.
> >Adding a third ipchains box will give you as much protection as adding a >piece of wire. > This is unclear. In the context of your first statement, I guess you're saying it's just as easy to break into? > >Where a proxy is extremely useful is being able to inspect (and correct >or reject) the data it receives before it gives it to the client >machine. That is you can plug a virus scanner into squid, remove active >x, etc. > How does it do so? By default? Or do I need to fine-tune squid.conf and danted.conf, or recompile both? Thanks. Sincerely, Josh Frick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
