Re: [squid-users] Massive problems with https connections to Domino Server (long)

From: <>
Date: Wed, 11 Feb 2004 20:26:19 +0200

On Wednesday 11 February 2004 17:17, Rainer Traut wrote:
> Hi,
> > Give me an example of some security measure which you
> > can accomplish with squid but not with masquerading
> > using iptables.
> >
> > If you can't, maybe you need to think first what exactly you are
> > trying to accomplish. I hope you arent thinking "I do not exactly
> > know why, but folks said it is more secure"? ;)
> Ok, here are some reasons:
> - you can have more simple firewall rules.
> Don't underestimate, they are getting complex in bigger networks.

Doable with iptables

> - you can block other programs like icq.
> Only way of really blocking things like icq I can think of is
> by changing dns resolution for these hosts. simply done on the proxy
> server and not for the whole network.

Doable with iptables (block by port#)

> - simple squid acls I already mentioned

Ok this is valid 8)

> - I trust squid/linux more than windows in any kind of network operation

iptables aren't Windows stuff either :)

> > If you do need some filtering via squid, at least make it
> > transparent and unavoidable for your users. Now you have to
> > set up each user's IE to use squid, right? Nothing prevents
> > them from reenabling direct access to Inet.
> - you can prevent users from reenabling proxy settings easy

Yes. I thought more about scalability. What is easier -
setting up xparent squid on one box (router) or configuring
Windows on thousands of user boxes?

> - proxy settings are delivered to the client by our novell server, no
> need to do this by hand
> - users are not allowed to go directly, this was just a test, but I
> already mentioned that, sorry if that was not clear.

What can you do against someone plugging into your intranet
a preconfigured laptop which will NOT ask novell about anything
before going direct?

> - authentication does not work with transparent proxy, we are currently
> not using it, but will in the future

Wow. I'm not familiar with this stuff...

Received on Wed Feb 11 2004 - 11:26:33 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST