Cascading firewalls

This would work, yes. And not having firewall and proxy on the same machine is a good thing, as the firewall will still protect you somewhat.

However, it would be better to have the proxy server segmented from the LAN, as a compromised proxy server - and, let's face it, Squid is not unbreakable - would grant total access to the LAN, no matter if the firewall is 'in front of' the proxy server or the same machine. In fact, in the first scenario, only egress filtering would continue to work somewhat, and even then, a skilled attacker can always open some form of tunnel into your network.

You are proposing this:

The net | FW | Proxy | LAN

Which is better than

The net | FW+Proxy | LAN

but not quite as good as

The net | FW---- Proxy | LAN

(mainly because in the latter case, connections between proxy and LAN can be checked much better, which makes both attacking the proxy and attacking the LAN harder).

However, presuming you go with the configuration as planned, and with the disclaimer that I do not know the Smoothwall, I am fairly certain it can do the NAT itself. That would mean there's no compelling reason to do anything on the proxy server but forward traffic. (Of course, the proxy server *can* do the NAT as well. This makes it more likely to take lots of stuff with it if failing, but will also reduce the load on your firewall. On the third hand, it's not unlikely the proxy server will come under more load...)

For the proxy server, you'd assign the firewall as gateway. In your configuration, you'd assign the proxy server as gateway to pretty much everything else.

In the third proposed configuration, the firewall is the gateway for everything on the network, with a separate proxy configuration for the web-enabled clients.

Hope this was helpful. As a last point, here's the iptables line for NAT:

iptables -t nat -A POSTROUTING -j MASQUERADE - or - iptables -t nat -A POSTROUTING -j SNAT --to-source $MY_IP

The first is used for dynamic addresses. Since this is not the case, go with second - but I'll have to admit to never having actually tested that one.

Joachim

Thank you Joachim. I was a little nervous posting this because a couple of Linux newsgroups basically told me to find out for myself, which I have tried to do. The first thing I appreciate is your helpfulness, then your knowledge!

I am going to stick with the configuration as planned, although in a bigger network I would probably go with your advice to segment the proxy. (Does this mean a third NIC in the firewall?) I am glad to know that it will work, but still a bit shaky on the details. Since I am new-ish to Linux, would it be possible just to enable IP forwarding on eth1 on the Suse\\Squid box, using the GUI for Network Card configuration? Please excuse my ignorance! I did this but it didn't seem to work. I could get onto the net from the Linux box but not from a Windows XP client on the LAN.

PS Please remove underscore to reply by mail. Thanks.

Am Mon, 05 Dec 2005 15:05:44 +0000 schrieb jKILLSPAM.schipper:

which is not as good as:

Internet | external packet-filter |

which is not is as good as:

Internet | external packet-filter | Application Lecel Gateway with 2 NIC | internal packet-filter | LAN

Wolfgang

Yes, very true. But I figured this would be a little out of budget, really, as the added security gets very costly quickly.

Joachim

Segmenting the proxy would likely require another NIC, yes (more exotic solutions exist, but tend to be more trouble and more expense than it's worth - at least at small scales, things like VLANs are supposedly very useful in large installations).

I have never used SUSE, and personally always preferred non-graphical methods of doing my configuration. So I'm not sure. That being said, I do know that in Linux you have to enable both packet forwarding (can be done by 'echo 1 > /proc/sys/net/ipv4/ip_forward' as root) and NAT (via my iptables command).

Someone with more knowledge of SUSE than myself may be able to tell you how to do this in SUSE's graphical tools.

All that being said, reading up on networking is never a bad idea, as it can get you out of a lot of tight spots and will be assumed known by many groups.

Joachim

Yes, and this is part of the process of learning for me! Lots learned, lots more to learn! I have been watching Ethereal for a while now and it is fascinating watching how network traffic works!

The gist is that both NAT and packet forwarding have to be enabled on the Suse\\Squid box. I can at least follow the leads here and carry on learning! Thank you so much.