RE: [squid-users] Squid Server Accelerator + iptables

From: Jim Matthews <[email protected]>
Date: Fri, 25 Jun 2004 11:05:32 -0400

Hi

I use iptables on my Squid box and I by default I DENY everything and only
allow those services which I need (ssh/ntp/dns/etc.). When configuring a
rule for Squid as an accelerator, what port/range of ports do I need to
ACCEPT? Do I need to setup a rule to FORWARD all connections on port 80
to my backend server?

Thanks.
---------------------
Jim Matthews
ISS Systems Administrator
Duke University - Perkins Library
Box 90196
Durham, NC 27708
Email: jim.matthews@duke.edu
Voice: 919-660-5963
Fax: 919-684-6990

Chris Perreault <Chris.Perreault@Wiremold.com>
06/25/2004 07:45 AM

To
squid-users@squid-cache.org
cc

Subject
RE: [squid-users] Squid Server Accelerator + iptables

Firewalls use rules, just like squid does through its ACLs. There are
numerous firewalls out there to choose from. Basically you'd set up a
rule,
for squid, that only allowed traffic from the squid box to your back end
webserver via the ports and traffic type that you needed. Ie: only open
port
80, and only allow http traffic, which in effect won't allow telnet, ftp,
and a bunch of other traffic occuring on ports you don't want/need traffic
on.

Likewise, a firewall above squid, between it and the internet end-users,
gets configured to only allow whatever traffic is needed to make it to the
squid box.

Best way? There are many different ways. With security it's a "amount risk
can you afford" or "how much insurance can you afford". What are you
protecting, how sensitive is the data, and when it does get hacked (not
if..when) what's the worst it can be. Ie: disaster recovery...how long
until
you are back online with valid data. The "best" way would be to have two
different brands of firewalls, on different operating systems, thus
reducing
the pool of people/scripts with the knowledge to hack their way in. That
means more maintenance on the admin's side too though, for the admin also
needs to know 2 different firewalls. Money no object..go for 3 firewalls
to
make things even more secure.

internet user <--> |firewall| <--> user only talks to squid via <-->
|squid|
<--> squid only talks to squid <--> firewall <--> |squid2| <--> squid2
only
talks to back end web server <--> |firewall| <--> webserver only talks to
squid2 <-->internal webfarm

Here you have a public/outer DMZ and a private/inner DMZ. Complicated
setup.

Or...the "best" for you might just be hardening the squid box, no outer
firewall and then having a firewall between your web server and squid. Not
knowing specifics makes determining the best hard to do.

Chris Perreault
Webmaster/MCSE
The Wiremold Company
West Hartford, CT 06010
860-233-6251 ext 3426

-----Original Message-----
From: Jim Matthews [mailto:jim.matthews@notes.duke.edu]
Sent: Thursday, June 24, 2004 5:04 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid Server Accelerator + iptables

I have squid running in server accelerator mode pointing to one backend
server. What's the best way to:

a. firewall the squid box
b. firewall the backend server to only accept connections from the squid
box

Any pointers or suggestions would be great.

Thanks.
---------------------
Jim Matthews
ISS Systems Administrator
Duke University - Perkins Library
Box 90196
Durham, NC 27708
Email: jim.matthews@duke.edu
Voice: 919-660-5963
Fax: 919-684-6990
Received on Fri Jun 25 2004 - 09:05:38 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:03 MDT