RE: [squid-users] firewall and squid

Instruct Squid to Run Only On Internal IP, Disbale ICP and all other NOT
Used Squid Stuff.

Ciao

Graziano Sommariva
phone: +39-010-658.3921
fax: +39-010-658.5.3921
mobile: +39-348-8558742
mailto: Graziano.Sommariva@Elsag.it

Network Manager
TLC - Telecomunicazioni
SSC - Service Unit Servizi Continuativi
Elsag S.p.A.

-----Original Message-----
From: Chris Wilcox [mailto:not_rich_yet@hotmail.com]
Sent: Wednesday, August 27, 2003 9:26 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] firewall and squid

I'm doing this on my home LAN but purely because I don't have the cash
(pun?) to have seperate computers for the firewall and cache. Still,
there's nothing stopping you having a firewall in more than one place so you

could run Squid from the DMZ but still have the squid box running it's own
firewall to make sure everything is closed off other than say port 3128 so
the only vulnerability on that box is likely to be Squid itself.

Still, my firewall is set up only to accept incoming connections that the
LAN has initiated,so if someone port scans me they see only the ports I need

to have open (eg http and smtp). Works quite well really I reckon.

Regards,

nry
>
>
>
>Fritz Mesedilla wrote:
> >
> > Hello! I'm quite new here.
> >
> > Would it be possible for me to have squid and a firewall on the same
>server? I'm concerned about security and also on budget.
> >
>
> Theoretically, there is no problem.
> But I would advise agains it, also because of spurious port usage
> of squid when maintaining connections.
>
> One of the purposes of firewalls, is to control this.
>
> Also because of traffic generated , it will make the squid box
> 'noticable' and prone to attack.
>
> Therefore our squid is on DMZ, behind firewall
>
> M.

_________________________________________________________________
Express yourself with cool emoticons - download MSN Messenger today!
http://www.msn.co.uk/messenger
Received on Wed Aug 27 2003 - 01:36:39 MDT