On 20.10 14:01, Derrick MacPherson wrote:
> Our network looks like:
>
> Internet
> |
> Firewall---DMZ
> |
> LAN
>
> We are wanting to either have a forward or interception proxy, though
> I'm unsure of the reasons for choosing one over the other, can someone
> explain that to me?
Don't use interception unless you really must. Interception is bad and
breaks some things (e.g. disallows proxy authentication).
If you use NAT on firewall, put proxy into DMZ only if you don't NAT from
LAN to DMZ (unles you use 1:1 NAT, which is usually not the case), otherwise
you won't be able to log source IP's of proxy connections.
Proxy usually doesn't need to be accessible from outside, so it doesn't need
to be in DMZ, unless you use NAT _and_ your NAT device/firewall isn't able to
track/NAT FTP connections - in such case you'd only be able to use passive
connections, which may not work fot FTP Servers behind similar firewalls.
-- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouseReceived on Fri Oct 21 2005 - 02:06:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST