Re: Q: Using Squid on a firewall-Host? from John Saunders on 1996-12-17 (squid-users)

From: John Saunders <john@dont-contact.us>
Date: 17 Dec 1996 12:39:49 GMT

Anthony Baxter (arb@connect.com.au) wrote:
>
> >>> Frank Wegner wrote
> > I have heard that people replaced their http-gw of the
> > TIS-Firewall-Toolkit with squid. Is it sensible to use squid on a
> > firewall machine as a proxy? Can I use squid to forward http and ftp
> > requests both ways through the firewall it is running on?
>
> Wow. Thats an _awfully_ large application to be running on a
> firewall.
>
> $ cd ~src/sbin/squid/squid-1.1.1 ; cat src/*.c | wc -l
> 32843

I wouldn't think size had anything to do with the matter. Unless, of
course, you relate in-memory size to the number of security bugs.
But most of Squid is data, the actual text size is mediocre, 260K
with Squid 1.1.0 running on Linux.

While there is nothing technically stopping using Squid, the main
problem is verification that it's secure. It all depends on how
secure people need to be to sleep at night. :-)

Possibly the most secure way would be to run squid on a machine on the
outside of the firewall (no man's land). This machine, of course, would
have to be expendable and hence have nothing interesting on it.

However, unless squid has a nasty bug that gets exercised when a nasty
html doc is fetched, running it on the inside of the firewall is OK. I
guess Windows and Netscape have much higher chances of having a nasty
bug than Squid ever will.

In summary, don't run Squid on the firewall unless you like risking
your systems security. For a few extra http-gw processes, it's not
worth having to explain to the boss how that hacker got into the
company files.

Cheers.
-- +------------------------------------------------------------+
        . | John Saunders - mailto:john@nlc.net.au (EMail) |
    ,--_|\ | - http://www.nlc.net.au/ (WWW) |
   / Oz \ | - 018-223-814 or 02-9477-2881 (Phone) |
   \_,--\_/ | NHJ NORTHLINK COMMUNICATIONS - Supplying a professional, |
         v | and above all friendly, internet connection service. |
              +------------------------------------------------------------+
Received on Tue Dec 17 1996 - 05:10:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:54 MST