On Wednesday 11 February 2004 17:17, Rainer Traut wrote: > Hi, > > > Give me an example of some security measure which you > > can accomplish with squid but not with masquerading > > using iptables. > > > > If you can't, maybe you need to think first what exactly you are > > trying to accomplish. I hope you arent thinking "I do not exactly > > know why, but folks said it is more secure"? ;) > > Ok, here are some reasons: > - you can have more simple firewall rules. > Don't underestimate, they are getting complex in bigger networks.
Doable with iptables > - you can block other programs like icq. > Only way of really blocking things like icq I can think of is > by changing dns resolution for these hosts. simply done on the proxy > server and not for the whole network. Doable with iptables (block by port#) > - simple squid acls I already mentioned Ok this is valid 8) > - I trust squid/linux more than windows in any kind of network operation iptables aren't Windows stuff either :) > > If you do need some filtering via squid, at least make it > > transparent and unavoidable for your users. Now you have to > > set up each user's IE to use squid, right? Nothing prevents > > them from reenabling direct access to Inet. > > - you can prevent users from reenabling proxy settings easy Yes. I thought more about scalability. What is easier - setting up xparent squid on one box (router) or configuring Windows on thousands of user boxes? > - proxy settings are delivered to the client by our novell server, no > need to do this by hand > - users are not allowed to go directly, this was just a test, but I > already mentioned that, sorry if that was not clear. What can you do against someone plugging into your intranet a preconfigured laptop which will NOT ask novell about anything before going direct? > - authentication does not work with transparent proxy, we are currently > not using it, but will in the future Wow. I'm not familiar with this stuff... -- vda
