I have not yet fully researched the PF functionality of OpenBSD, so I'm therefore guessing that the PF feature adds "stateful packet inspection" to an OpenBSD box.
With that assumption, I guess I'm thinking PF and Squid (which works at the application layer of the OSI stack) would make a pretty formidable firewall. I wonder if PF would analyze the incoming data stream first and then Squid, or would that be Squid first and then PF? Ed On Sat, Mar 22, 2008 at 6:05 AM, Denise H. G. <[EMAIL PROTECTED]> wrote: > > "Ed Flecko" <[EMAIL PROTECTED]> writes: > > > Hi folks, > > I'm reading a book on network security and it mentions "proxy > > firewalls", so I'm wondering if an OpenBSD box with Squid installed > > would fit this description? Or, are there other "proxy firewalls" the > > author is referring to? > > > > The book mentions that although "proxy firewalls" tend to slow traffic > > down, they are much more secure than a typical, "statefull packet > > filtering" firewall. He says they will ignore the typical "network > > discovery" methods, i.e. nmap, etc., etc. > > > > As a matter of curiosity, has anyone ran an nmap scan against an > > OpenBSD box with Squid? What did the scan results indicate? > > I have an ancient box, which is an AMD K6 266MHz with 64M RAM, running > OBSD 4.2 + pf + squid. I use it as a home router + firewall + WWW cache. > Since it is running smooth, quiet and well, it just sits in one corner > without my further investigations. But I don't know how `proxy' plus > `firewall' would enhance security issues. Would you elaborate on it? > > > > > > > Thank you, > > Ed > > -- > Denise H. G. <darcsis AT gmail DOT com>
