06-May-02 at 12:05, Squid Support (Henrik Nordstrom) (hno@marasystems.com) wrote :
> Simon White wrote:
>
> > Squid is not a firewall. It is an HTTP proxy. You could, at a pinch, call
> > it an "application layer filter" because it can control access to HTTP
> > resources for the network based on application data in HTTP packets.
>
> Squid can be a important component in a firewall, especially so in a proxy
> based firewall.
Absolutely. Squid makes HTTP on your network better. Whether you feel like
you need caching or not. Here in Morocco (and in other developing nations)
where I work, it is a very important piece of software as far as my
business objectives are concerned. I'll be in Haiti pushing cache
hierarchies next week, by the way.
> > Linux has come pre-installed with firewalls since the 2.0 series. 2.0.x
> > had ipfwadm, 2.2.x had ipchains, and 2.4.x has iptables. The 2.4.x series
> > iptables supports stateful inspection, full nat connection tracking, and
> > many other very useful things like packet mangling for advanced routing.
> > Try finding that for free anywhere else :)
>
> ipfwadm/ipchains/iptables alone do not make a firewall. As Squid they are
> capable components in a firewall, especially so in packet filtering firewalls.
The Linux kernel contains packet filtering code, in 2.4.x it's called
netfilter. iptables is a command line interface to netfilter rules which
makes it a fully fledged firewall, provided all the rules are correctly
configured. Unless I'm missing something. However, it depends whether you
call your firewall a firewall because it's a stateful-inspection packet
filter (à la iptables, CheckPoint) or if your firewall is your whole
network and application layer filtering and authentication subsystem, in
which case Squid is an invaluable component. In fact, if all you do is
HTTP you probably don't need much iptables but you do need something like
Squid.
iptables operates at the network and protocol layer only, with some
stateful inspection which can look at the application layer (like FTP
connection tracking). Squid is another very important link in the chain
for it enables you to easily analyse the HTTP traffic on your network,
make rules and authentication restrictions, etc. A network that surfs the
Internet is way better with Squid since it gives such a fine-grained
control over the HTTP layer.
First and foremost, I'm a HTTP level person. iptables can add icing to the
cake by allowing redirection, packet logging for any port, nat for
protocols other than HTTP (including some VPN implementations which can be
translated) and low-level filtering. But iptables will do nothing for the
HTTP layer, whereas Squid is your ultimate toolkit for that (especially
the very exciting sounding 2.5 tree which I still haven't had time to test
:-( ).
Regards,
-- [Simon White. vim/mutt. simon@mtds.com. GIMPS:5.390% see www.mersenne.org] Tis better to be silent and thought a fool, than to open your mouth and remove all doubt. -- Abraham Lincoln [Linux user #170823 http://counter.li.org. Home cooked signature rotator.]Received on Mon May 06 2002 - 06:25:37 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:55 MST