Hi I use iptables on my Squid box and I by default I DENY everything and only allow those services which I need (ssh/ntp/dns/etc.). When configuring a rule for Squid as an accelerator, what port/range of ports do I need to ACCEPT? Do I need to setup a rule to FORWARD all connections on port 80 to my backend server?
Thanks. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: [EMAIL PROTECTED] Voice: 919-660-5963 Fax: 919-684-6990 Chris Perreault <[EMAIL PROTECTED]> 06/25/2004 07:45 AM To [EMAIL PROTECTED] cc Subject RE: [squid-users] Squid Server Accelerator + iptables Firewalls use rules, just like squid does through its ACLs. There are numerous firewalls out there to choose from. Basically you'd set up a rule, for squid, that only allowed traffic from the squid box to your back end webserver via the ports and traffic type that you needed. Ie: only open port 80, and only allow http traffic, which in effect won't allow telnet, ftp, and a bunch of other traffic occuring on ports you don't want/need traffic on. Likewise, a firewall above squid, between it and the internet end-users, gets configured to only allow whatever traffic is needed to make it to the squid box. Best way? There are many different ways. With security it's a "amount risk can you afford" or "how much insurance can you afford". What are you protecting, how sensitive is the data, and when it does get hacked (not if..when) what's the worst it can be. Ie: disaster recovery...how long until you are back online with valid data. The "best" way would be to have two different brands of firewalls, on different operating systems, thus reducing the pool of people/scripts with the knowledge to hack their way in. That means more maintenance on the admin's side too though, for the admin also needs to know 2 different firewalls. Money no object..go for 3 firewalls to make things even more secure. internet user <--> |firewall| <--> user only talks to squid via <--> |squid| <--> squid only talks to squid <--> firewall <--> |squid2| <--> squid2 only talks to back end web server <--> |firewall| <--> webserver only talks to squid2 <-->internal webfarm Here you have a public/outer DMZ and a private/inner DMZ. Complicated setup. Or...the "best" for you might just be hardening the squid box, no outer firewall and then having a firewall between your web server and squid. Not knowing specifics makes determining the best hard to do. Chris Perreault Webmaster/MCSE The Wiremold Company West Hartford, CT 06010 860-233-6251 ext 3426 -----Original Message----- From: Jim Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 5:04 PM To: [EMAIL PROTECTED] Subject: [squid-users] Squid Server Accelerator + iptables I have squid running in server accelerator mode pointing to one backend server. What's the best way to: a. firewall the squid box b. firewall the backend server to only accept connections from the squid box Any pointers or suggestions would be great. Thanks. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: [EMAIL PROTECTED] Voice: 919-660-5963 Fax: 919-684-6990
