[COLUG] ipkungfu/squid problems
Dave Maxwell
dmaxwell at columbus.rr.com
Tue Mar 4 22:01:54 EST 2008
On Tue March 4 2008, Duane wrote:
> The reason for 2 interfaces is so users can't bypass the redirections
> that the proxy does, the 2nd interface is to connect to the internet,
> the first to your network, etc.
If transparent proxying isn't an absolute must then a single nic proxy can be
used to do this. You also have to have a "default deny" firewall that is a
separate machine from the proxy. A "default deny" firewall basically only
allows a small list of machines and connection types out. Basically, the
firewall is set to allow proxies but not other clients to connect out.
Basically what you're doing is putting that "second interface" at the
ingress/egress point of your network. Still you're going to have it either in
the proxy itself or somewhere else. Otherwise, it won't be mandatory for
client machine to use it to connect (which isn't always a bad thing if the
proxy serves purposes other than network policy enforcement).
Dave
--
I respect the institution of marriage. I have always thought that every
woman should marry -- and no man.
-- Benjamin Disraeli, "Lothair"
More information about the colug432
mailing list