Simon Murcott wrote:
Eventually, I plan on replacing both Coyote boxes with IPtables-capable firewalls. (For statefull inspection). The choke will be Woody, I think, with SNORT, and the gateway will either be floppyfw or Devil Linux or a homebrew busybox. But they're still going to be i386 Linux. Hopefully, I can disable module support in both.On Thu, 2002-03-07 at 11:06, Josh Frick wrote:Thank you. That's what I had suspected. NAT is NAT, right? I'm trying to build a multi-layered approach. Currenlty it's two Coyote (IPchains) Firewalls in front of Squid/Socks. This does prevent direct connections to my clients, which I had assumed was more secure than otherwise, but I wasn't sure if that was meaningful. My clients and the Squid/Socks box are not reachable by the gateway. Only the choke, which will be reconfigured (by way of a crossover-cable) to be connected only to the Squid/Socks box. I just wanted to know if this was any better than simply adding a third IPchains box.Something to be aware of is that having two firewalls of the same flavour will not buy you any more security. If a crack/exploit works on one then it will work on the other. Try replacing one of them with another OS and firewall solution.
This is unclear. In the context of your first statement, I guess you're saying it's just as easy to break into?Adding a third ipchains box will give you as much protection as adding a piece of wire.
How does it do so? By default? Or do I need to fine-tune squid.conf and danted.conf, or recompile both?Where a proxy is extremely useful is being able to inspect (and correct or reject) the data it receives before it gives it to the client machine. That is you can plug a virus scanner into squid, remove active x, etc.
Thanks. Sincerely, Josh Frick