Re: Q: Using Squid on a firewall-Host?

From: Anthony Baxter <arb@dont-contact.us>
Date: Wed, 18 Dec 1996 01:09:00 +1100

>>> John Saunders wrote
> Anthony Baxter (arb@connect.com.au) wrote:
> > $ cd ~src/sbin/squid/squid-1.1.1 ; cat src/*.c | wc -l
> > 32843
>
> I wouldn't think size had anything to do with the matter. Unless, of
> course, you relate in-memory size to the number of security bugs.
> But most of Squid is data, the actual text size is mediocre, 260K
> with Squid 1.1.0 running on Linux.

What I was trying to point out was that it really is a rather large
application - heading up towards sendmail size. sendmail's had a heck
of a lot more people checking it for holes over a much greater period
of time than squid, and look how many holes still keep popping up.

> Possibly the most secure way would be to run squid on a machine on the
> outside of the firewall (no man's land). This machine, of course, would
> have to be expendable and hence have nothing interesting on it.

If you want a squid to be accessible to the world, this is the way to
do it, I suspect.

> However, unless squid has a nasty bug that gets exercised when a nasty
> html doc is fetched, running it on the inside of the firewall is OK. I
> guess Windows and Netscape have much higher chances of having a nasty
> bug than Squid ever will.

Assuming you are running it inside the firewall, for clients that are also
inside the firewall.

> In summary, don't run Squid on the firewall unless you like risking
> your systems security. For a few extra http-gw processes, it's not
> worth having to explain to the boss how that hacker got into the
> company files.

And if you've got enough load that the http-gw (or SOCKS, or whatever)
processes are killing you, you should probably be able to get someone
to agree to buying a middling PC, put your free unix of choice on it,
and make it a dedicated squid box.

Anthony.
Received on Tue Dec 17 1996 - 06:35:53 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:54 MST