Give me an example of some security measure which you can accomplish with squid but not with masquerading using iptables.
If you can't, maybe you need to think first what exactly you are trying to accomplish. I hope you arent thinking "I do not exactly know why, but folks said it is more secure"? ;)
Ok, here are some reasons: - you can have more simple firewall rules. Don't underestimate, they are getting complex in bigger networks. - you can block other programs like icq. Only way of really blocking things like icq I can think of is by changing dns resolution for these hosts. simply done on the proxy server and not for the whole network. - simple squid acls I already mentioned - I trust squid/linux more than windows in any kind of network operation
If you do need some filtering via squid, at least make it transparent and unavoidable for your users. Now you have to set up each user's IE to use squid, right? Nothing prevents them from reenabling direct access to Inet.
- you can prevent users from reenabling proxy settings easy - proxy settings are delivered to the client by our novell server, no need to do this by hand - users are not allowed to go directly, this was just a test, but I already mentioned that, sorry if that was not clear. - authentication does not work with transparent proxy, we are currently not using it, but will in the future
Raiiner
