Search squid archive

Re: Deployment Considerations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Joseph,

Joseph Jenkins wrote:

I had a question about how most people were deploying their squid
caches, are you deploying them behind firewalls and is so what type
of rule set are you using?  Is there any case where someone is
running the firewall and squid cache on the same box? I am running Squid on a Solaris 10. 

I am not an expert in Fire walling and security.
I am currently deploying Squid both in Linux IPTABLES boxes and FreeBSD IPFW boxes. 

Both the firewall and Squid are on the same machines.
The 1st part of the rules in those firewalls are for redirecting web traffic to squid's port for transproxy.
Then there are rules to filter who gets access to Squid's port before hitting Squid in the 1st place. 

Then comes the small set of stateful rules with the firewall.
Then there are the firewall rules to limit who gets access to sensitive ports. Blocking netbios and broadcast traffic from Windows machines on ports 135-139 are also common in my firewall setup. 

Filtering ICMP traffic is also a good thing to do with a firewall.
Lastly but not the least, you make the firewall log intrusion or unwanted activity in a limited way.
Some of my Linux Squid boxes are also acting as gateways, so there are some FORWARD and OUTPUT rules besides the INPUT rules to control which network traffic gets in and out of the box.
Actually, you should deploy at least 2 hardware/software firewalls before any traffic reaches your Squid proxy. They might include routers, load-balancers or even a Linux/Unix hardened box itself.
The reason why I run firewalls inside my Squid boxes is for it to act as the last line of defense in case unwanted traffic somehow penetrates the hardware firewalls.
I don't have any experience in Solaris. Which firewall are you using in your Solaris box. I have heard that IPFILTER can run under Solaris.
Also the firewall depends upon where the Squid Solaris box resides on your network? 

Thanking you...




TIA

Joseph Jenkins
www.pixadmin.com









--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

System Administrator

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux