Date: Thu, 26 Mar 1998 09:46:48 -0800 From: Bill Trost <trost@cloud.rain.com> To: Open Systems Networking <opsys@mail.webspan.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) Message-ID: <19980326180102.9784.qmail@jli.com> In-Reply-To: Your message of Thu, 19 Mar 1998 23:02:11 EST. <Pine.BSF.3.95.980319225655.27067A-100000@orion.webspan.net> References: <Pine.BSF.3.95.980319225655.27067A-100000@orion.webspan.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 19 Mar 1998, Graphic Rezidew wrote: > Open Systems Networking wrote: > > I'm about to build a security/internet connection for a local corp. > > That goes a little something like this: > > > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > Just out of curiosity, why would you need a proxy on the "inside" of the > ''firewall''? I could see using it in select situations, but you may be > walking up a hill that you don't need to. To keep outsiders from telnetting to the proxy server? Actually, I was more wondering why you wanted to run NAT. The only box that needs to speak to the outside world is the proxy server, so you could just give it a real IP address. Put the internal network on net 10.0.0.0, don't put any routes to net 10 on the firewall, and there is "no way" that an attacker could send any packets to the inside hosts. Gee, and that's a reason to keep the packet filter and the proxy separate, too. You can't do routing restrictions in a single-box implementation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980326180102.9784.qmail>