On Sun, 10 Jan 1999, Dave Wreski wrote:
> Hi all. I'd like to set up an Internet connection for a small company
> using Linux, and had some questions I hoped someone could help me with
> before I get started.
Unfortunately, "for a company" instead of "as a company" rules out the FWTK,
one of the best resources out there.
> One of the services I will be selling them is an Internet firewall, with
> three interfaces. The typical three-interface DMZ senerio. Do people
> typically do this also using transparent proxying with squid? I don't
I'm not a fan of transparent proxies. In most cases (and you'll have to
check your own), if you can trick an end-user who is behind a transparent
proxy into putting the address of a host you control on the Internet into
the proxy field of their browser the transparent proxy will allow the
traffic, and you can snarf anything they do. I haven't looked at the
squid code, so I can't comment on its proxy ability. I do know that a
lot of people use Apache in proxy mode.
> want to add rules for each host connecting to the Internet, but I'm sure
> they'll also want RealAudio/Video support, and other services which must
I normally tell people to use RA/RV over HTTP, it simplifies things, and
discourages over-use which will eat up bandwidth very quickly. There is
a reference proxy for RA on RealNetworks' site, you'll have to judge the
code for yourself, I wasn't over-enthused with it.
> be proxied. Do you proxy other protocols? If so, which ones?
SMTP is pretty necessary these days. FTP is too, but you can normally
get away with FTP via an HTTP proxy. Some industries still use gopher,
but not many. The more protocols you open up, the more risk you're
giving, so it's a balancing act. I tend to go with opening only what's
absolutely necessary, logging the heck out of it, and analyzing the logs
for tunnels, etc. SSL is starting to become important, but it's a major
tunneling risk, sometimes you have to let it though, sometimes just to
selected sites, and sometimes you can get away with blocking the evil
protocol that it is.
HTH,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
