[ale] SOHO Proxy - Questions

brucelists at bellsouth.net brucelists at bellsouth.net
Fri Jun 24 12:25:01 EDT 2005


Thanks for the info. I was thinking Debian or SuSE (no flame wars please, I know there are other alternatives). I like both - but really have come to depend on the great manuals that come with SuSE. I have 9.0 and 9.1. I'll go for the 9.3 upgrade (I know you can install from FTP, but I kinda like to have ISO CDs on hand for when - not if - I hose the system up).

I was thinking about combining firewall and proxy (but having it behind a Linksys NAT router with no holes open inbound). I know the Linksys isn't really a firewall, so will have to revisit building my own firewall. I looked for Bob's book at Barnes and Noble and Borders and didn't find it. Time to go online shopping (I prefer buying in a bookstore and paying the little extra as you can hold the book in your hand and leaf through it before making a purchase decision). If I can scavenge enough PC's, I'll think about building a firewall and a separate proxy server. I've read enough about open proxies to think the 2 box solution is a very good idea.

As far as reports are concerned - my thought was to use userid/password authentication on the proxy, and then see if I can base ipfilters rules and reports based on userid. Right now since I disabled DHCP and force static IP, I can set rules for each PC based on IP. It might be better to base them on userid. I'll read the manuals to see if that can be done.

Okay, it's off to build a wish-list. I think from above, I will be wanting SuSE 9.3 upgrade, 2 PII or better PCs (with plenty of memory and disk space for the webcaching server), at least 3 NICS (2 for a firewall, at least 1, maybe 2 for the proxy depending on if I want a transparent proxy). 

I'll use a crossover cable from my Westell DSL modem to the firewall, a switch for the segment my proxy and office PC will be on (and any other servers), and a switch for PC's behind the proxy (if I go with a transparent proxy with 2 NICS). 

For the quick, cheap and easy alternative - I could just keep the Linksys router and make sure it blocks all inbound traffic not originally sourced from inside, build a one-armed proxy server, and block port 80 outbound for all devices EXCEPT the proxy on my router. And I would put nothing on the DMZ. My Linksys has a DMZ port, I put nothing on there. If I build a new firewall, I would put nothing on the DMZ.

> 
> From: Geoffrey <esoteric at 3times25.net>
> 
> brucelists at bellsouth.net wrote:
> > Hey all, been a while since I posted on these lists (subscribed under
> > a new e-mail addr). A while back I had put together a one-armed http
> > proxy using SuSE 9.1, Squid and squidGuard - plus filters from the
> > squidGuard project. I simply pointed browsers to the proxy and away
> > we went. After a while, I took the server down and rebuilt it into a
> > desktop. I'm planning on putting up another proxy, and had some
> > questions.
> > 

> 
> Sounds right.  Is the proxy on the dmz or part of the firewall?
> 
> > Fourth: can filters and reports be based on userid authentication, or
> > are they IP based? I do not use DHCP at home, and manually assign
> > everything - so it is a non-issue, but if I were to replicate the
> > proxy for a church or for a friend - I think DHCP would be used.
> 
> Are you talking iptables/ipchains filters?




More information about the Ale mailing list