 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Scott Ehrlich wrote: > My network setup at home consists of a Linksys broadband gateway/router > connected to Comcast and several machines branching off of it. > > I thought I might be able to get away with one NIC. > Also please educate if I still need two NICs... > > My internal addressing is static 192.168 for all machines, which include > the two NICs in the proxy box. I can't help you with Squid, but it sounds like you're off track with the two NICs. In a traditional firewall setup, 2 NICs are used in order to physically isolate the two network segments - one being your LAN, and the other being the WAN. It is then up to the firewall's rules to decide what can pass from one interface to the other. In your situation, the Linksys router is located in the traditional firewall position, straddling the two network segments. (Internally, it has the logical equivalent of 2 NICs.) So if your proxy machine is inside the LAN, I don't see any value in having two NICs. The lack of isolation is further emphasized by your comment that both NICs have IP addresses on the same network segment. > ...also found the firewall-howto which has indicated (reminded me) of > the possible need for two NICs, so I scrounged and installed a second NIC. You've probably seen a blending of concepts, because proxies are often installed directly on the firewall machine, which has 2 NICs. > I have Debian Woody installed on one box, and port forwarding enabled on > the Linksys to point to the Debian box to reflect the open incoming > proxy port. It isn't clear to me why you needed to open ports on the Linksys to provide access to the Squid proxy server, unless that machine is also serving up web pages to the public Internet. Typically, a proxy works by accepting a request from a client computer on your LAN, and then it relays that request to a server on the Internet. As the proxy initiates the request directed to the Internet, it should pass through a typical NAT router without requiring any special rules. If you want to boost security, place the machine running the proxy in a DMZ, which is like a second LAN that the firewall keeps physically isolated from your real LAN. That way if your proxy machine is breached (say due to a vulnerability in Squid), the attackers can't get at machines on your LAN. The effectiveness of a DMZ is largely dependent on the kinds of rules you create for what is permitted to/from the DMZ. In this case, you'd permit LAN traffic to send HTTP requests to your proxy server, and you'd permit the proxy server to send HTTP requests out the the Internet, but you'd deny any connections from the Internet to the proxy server. That last bit is the reason why a DMZ is probably overkill for a proxy server. Servers that don't accept inbound connections are generally no more vulnerable to attack than client computers already on your LAN. (On a side note, your Linksys router might have a feature labeled DMZ, but in my experience DMZ is an exaggeration when applied to consumer routers. They typically use the DMZ label to mean that they'll port forward all inbound traffic to a designated machine which is on your LAN and not isolated.) -Tom
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
