Re: Proxy on firewall or behind it?

To: Christian Volk <debian@volkedv.de>
Cc: "Debian Firewall" <debian-firewall@lists.debian.org>
Subject: Re: Proxy on firewall or behind it?
From: Lance Levsen <l.levsen@printwest.com>
Date: Wed, 15 Aug 2001 13:18:11 -0600
Message-id: <[🔎] 20010815191812.1672C796E@cossette.dante.ca>
In-reply-to: Message from Christian Volk <debian@volkedv.de> of "Wed, 15 Aug 2001 20:41:15 +0200." <[🔎] 01081520411500.00693@w2>
References: <[🔎] 01081520411500.00693@w2>

> Hi!
> 
> I'm in the process of setting up a leased line/static IP internet connection 
> with the option of a DMZ and a second firewall.
> 
> To simplify the firewalls, I'm thinking about moving the http proxy (squid) 
> from the firewall machine to a machine behind the firewall.
> 
> Are there any additional security risks with the proxy on the intranet?
> 
> Thanks!
> 
> - Christian
> 

I think the opposite is true. I do this for a reverse proxy,
squid in accelerator mode to serve 3 different http boxes.

# Send incoming port 80 to Rproxy. However, we have to allow an
# incoming onto port 80, $IFINET = internet interface, $RPROXY = 
squid box.

iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -i 
$IFINET \
	-j DNAT --to-destination $RPROXY

iptables -A FORWARD -p tcp --dport $HTTP_PORT -d $RPROXY -j 
ACCEPT

The less that's available on the firewall the better, then you
can't get burnt by code vulnerabilities. Like the squid bug
for accelerator mode last month. :)

Cheers,
-- 
Support Intellectual Property.	|	Lance Levsen
Surrender yours to Microsoft.	|	Systems
- Ed Craig			|	PWGroup - S'toon.

Reply to:

References:
- Proxy on firewall or behind it?
  - From: Christian Volk <debian@volkedv.de>

Prev by Date: Proxy on firewall or behind it?
Next by Date: Could someone please explain this output?
Previous by thread: Proxy on firewall or behind it?
Next by thread: Re: Proxy on firewall or behind it?
Index(es):
- Date
- Thread