[ale] SOHO Proxy - Questions
Geoffrey
esoteric at 3times25.net
Thu Jun 23 18:25:37 EDT 2005
brucelists at bellsouth.net wrote:
> Hey all, been a while since I posted on these lists (subscribed under
> a new e-mail addr). A while back I had put together a one-armed http
> proxy using SuSE 9.1, Squid and squidGuard - plus filters from the
> squidGuard project. I simply pointed browsers to the proxy and away
> we went. After a while, I took the server down and rebuilt it into a
> desktop. I'm planning on putting up another proxy, and had some
> questions.
>
> First: roll your own versus a distro. For SOHO use, would you simply
> use SuSE, Fedora, Debian, ... - and configure it - or would you
> download the kernel, compile and build from scratch? I'm thinking
> using any major distro and keeping up with security patches should be
> fine for a home-use proxy, not so sure about a small business /
> non-profit proxy though.
Agreed. I have 6 SuSE 9.3 boxes here, all current and up to date.
> Second: would you combine firewall and proxy duties on one box, or
> build two? Right now I have a Linksys router (I know, it's not really
> a firewall). So - would you go brandx router crossover cable to
> firewall/proxy for tighter control?
I would build two separate boxes. Personally I would build my own
firewall using Bob Toxen's book as a guide.
> Third: three PCs are for home use, one is for business use and
> connects via VPN to the work network. My initial thought is to go
> Linksys to internal LAN, have my work PC and the proxy on the
> internal LAN (not the DMZ segment on my Linksys - that's a scary
> thought). Home PC's would be behind the proxy.
Sounds right. Is the proxy on the dmz or part of the firewall?
> Fourth: can filters and reports be based on userid authentication, or
> are they IP based? I do not use DHCP at home, and manually assign
> everything - so it is a non-issue, but if I were to replicate the
> proxy for a church or for a friend - I think DHCP would be used.
Are you talking iptables/ipchains filters?
> Finally - while I do not use DHCP at home, if I were to build a proxy
> for a network that does use DHCP, could I pass the DHCP requests
> through the proxy server, or would I need to run firewall, proxy and
> dhcp all on the one box?
You could have separate boxes for each. I'm a firm believer in a
firewall being a firewall and nothing else. Personal opinion there. (I
also lock my car in my garage..)
> Also - do any of you use Viralator and CLAMAV on squid proxies? Is it
> an effective solution? All my Win PC's (I know, that's a bad word) -
> have Antivirus running, current, and scanning daily. Still we got
> infected when my wife snagged my work PC, opened a Hotmail attachment
> and infected it. I don't want to try to 'splain that at the office!
> (I did change the password and repeated the "don't use my work PC for
> anything ever" mantra - but we've had that issue before).
You're pretty well screwed if you're running windows. There's always
the possibility something's going to get through. My wife's box is the
only windows box that has internet access in the house. My daughter has
a dual boot, no network at all when running windows.
>
> (if I go the Debian route - anyone downloaded Sarge stable and burned
> to CD? I'm not sure if I'll go Debian or SuSE - not anything against
> any other distros, it's just that I am slightly more familiar with
> those.)
Everyone know's my opinion, I'd go with SuSE. A lot easier to configure
and install. Further, you're going to have more current software.
Please folks, don't let this start another flame war on distros.
--
Until later, Geoffrey
More information about the Ale
mailing list