On Fri, Mar 16, 2001 at 08:10:08PM +0100, RoMaN SoFt / LLFB !! wrote: > On Fri, 16 Mar 2001 10:32:52 -0800, you wrote: > > >I would find an old pci machine, and use that as the "equalizing" machine. > >You can have the proxy behind that, and have the eq box send the connections > >needing proxying to the squid box. > > > >Are you using the eq box as a firewall too? Under best conditions, the only > >open service on the firewall would be ssh or none. > > This is a bit paranoid for a little LAN: almost all our employers > have few computer skills and the ones with some "computers' control" > are totally trusted. The untrusted world is out of the LAN, where > proxy service will be hidden (filtered). In addition both outgoing > routers are performing NAT so inherently we've got some extra > protection (it is virtually impossible to establish a connection from > out of the LAN into it). > > Summarizing: although running a proxy, it should not be seen from the > outside. > > By the way, your statement is very well known and generally it should > be taken into account if possible. > I understand everything you're saying, I've setup a firewall/mailserver/file server/monitoring station/trans proxy/masq in several places, but you will have a LOT fewer headaches if you keep your firewall seperate from everything else. I'm working on creating a DMZ perimiter network and putting the actual network behind two firewalls. Anything where you have anything as critical as needing multiple links to the internet should be setup this way. I will have a lot fewer layers of complication once I seperate my firewall from the rest... not to say it's impossible. You also have fewer places that need constant updating, since I can't take my file server down as often as I'd like to be able to install the latest kernel for firewalling... Mike
