Re: [plug] iptables masquerading / squid

Tue, 28 Oct 2003 08:00:47 -0800 

On Tuesday 28 October 2003 21:58, Ramon de los Reyes wrote:

> we have been using masquerading to allow our
> workstation to surf the internet. my friend suggested
> that we should use squid instead.
>
> my question is which is better? 

it depends on what you're trying to do.  

   do you want to allow users to use ONLY http/https 
       (and maybe ftp)?  then squid is probably better 
       than masquerading because masquerading (without
       additional configuration, e.g., firewall rules) allows
       any kind of traffic outward (e.g., they can use P2P
       clients, they can use IM clients, they can directly
       connect to remote POP3/SMTP/IMAP servers,
       they can scan remote servers for vulnerabilities,
       etc.

       of course you can generally block undesirable 
       traffic using firewall rules and other techniques
       but that can be a headache with P2P and IM
       clients that try many ports or that piggyback on
       http.
   
  do you want to allow users to use other services too,
       additional to http/https?  then you should use
       masquerading (or a SOX proxy, but a SOX proxy
       won't work with un-soxified applications).

  do you want to allow users to use http/https and other
       services, but you want to *force* http traffic through
       the proxy to save bandwidth and perhaps for
       blocking certain sites (e.g., pr0n) or for monitoring?
       then you probably want to use masquerading, *plus*
       squid, plus the appropriate firewall rules to 
       transparently trap http requests and force them through
      your squid proxy (although this can be sort of 
      circumvented by clients that use an external proxy 
      if they can find an open one).

tiger

-- 
Gerald Timothy Quimpo  gquimpo*hotmail.com tiger*sni*ph
http://bopolissimus.sni.ph
Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78"

    If we were meant to fly, we wouldn't keep losing our luggage.
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

Reply via email to