[ale] SOHO Proxy - Questions

Bob Toxen transam at verysecurelinux.com
Fri Jun 24 13:30:38 EDT 2005


Do YOU know exactly what traffic is being blocked by your Firewall
(such as your LinkSys)?  If not then you cannot trust it.  This is why
I'm against blackbox firewalls, including Smoothwall and SuSE's Firewall2.
Also, a simple NATting box is not a firewall; it just keeps out the
script kiddies.

My recommendation is to set up a real Linux Firewall and use the
Linksys as a DSL modem.

Whether you use a separate box for your proxy depends on hassle vs.
security and topology.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Thu, Jun 23, 2005 at 12:09:31PM -0400, brucelists at bellsouth.net wrote:
> Hey all, been a while since I posted on these lists (subscribed under a new e-mail addr). A while back I had put together a one-armed http proxy using SuSE 9.1, Squid and squidGuard - plus filters from the squidGuard project. I simply pointed browsers to the proxy and away we went. After a while, I took the server down and rebuilt it into a desktop. I'm planning on putting up another proxy, and had some questions.
> 
> First: roll your own versus a distro. For SOHO use, would you simply use SuSE, Fedora, Debian, ... - and configure it - or would you download the kernel, compile and build from scratch? I'm thinking using any major distro and keeping up with security patches should be fine for a home-use proxy, not so sure about a small business / non-profit proxy though.
> 
> Second: would you combine firewall and proxy duties on one box, or build two? Right now I have a Linksys router (I know, it's not really a firewall). So - would you go brandx router crossover cable to firewall/proxy for tighter control? 
> 
> Third: three PCs are for home use, one is for business use and connects via VPN to the work network. My initial thought is to go Linksys to internal LAN, have my work PC and the proxy on the internal LAN (not the DMZ segment on my Linksys - that's a scary thought). Home PC's would be behind the proxy.
> 
> Fourth: can filters and reports be based on userid authentication, or are they IP based? I do not use DHCP at home, and manually assign everything - so it is a non-issue, but if I were to replicate the proxy for a church or for a friend - I think DHCP would be used.
> 
> Finally - while I do not use DHCP at home, if I were to build a proxy for a network that does use DHCP, could I pass the DHCP requests through the proxy server, or would I need to run firewall, proxy and dhcp all on the one box?
> 
> Also - do any of you use Viralator and CLAMAV on squid proxies? Is it an effective solution? All my Win PC's (I know, that's a bad word) - have Antivirus running, current, and scanning daily. Still we got infected when my wife snagged my work PC, opened a Hotmail attachment and infected it. I don't want to try to 'splain that at the office! (I did change the password and repeated the "don't use my work PC for anything ever" mantra - but we've had that issue before).
> 
> (if I go the Debian route - anyone downloaded Sarge stable and burned to CD? I'm not sure if I'll go Debian or SuSE - not anything against any other distros, it's just that I am slightly more familiar with those.)
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list