Re: IP-Masquerading AND Squid??

I hope you will forgive me. This is not an answer to your question but simply a restatement of a fact that caused me to lose a lot of time. Most of that time was learning how to configure kernels and run ipchains, which is worth while and good to know. Only it wasn't needed for what I was trying to accomplish when I started.

If you simply want to provide web access through a proxy-server you don't need to masquerade! Unless you are very careful and know what you're doing masquerading is less secure than letting the proxy server handle it.

Let's say squid is running on a machine with address 198.198.198.198 (this is a made up valid address - but I didn't want to use a vpn address). Then lets say you also have 220 machines using 192.168.1.2 to 192.168.1.222. As long as they can see the proxy server and the proxyserver can go out you don't need to masquerade.

If you want security, don't masquerade. If you don't masquerade the only way to go out is through the proxy server, which logs what happens. If you do masquerade then anyone taking over a machine not only takes over the machine but can get out on the Internet while you're masquerading their packets. It is hard to telnet to port 25 on a distant machine through squid, but easy through most masquerades setups where someone just typed in the samples from the how-to.

At 08:23 AM 3/18/99 -0800, you wrote:
>I work for a school district. I have a few Linux machines in high
>schools using IP masquerading to increase the number of internet
>accesses available. I've now just set up a Squid-Linux for http-ftp
>cacheing at one site. I'd like to use one cpu to do both Squid and IP
>masquerading. It seems that that could work but I'd love to hear
>back from someone who has it working and any tips he/she maight
>send along. Thanks in advance, Ashe Coutts

--
Josh Kuperman        Saratoga Springs Public Library
sar_kuper@sals.edu   49 Henry St  
518.584.7860x211     Saratoga Springs, NY 12866
http://www.library.saratoga.ny.us