[oclug] Linux as a Caching Proxy and Firewall
burns at burnsmacdonald.com
Sat Mar 23 22:56:34 EST 2002
On March 23, 2002 10:34 am, Bill Omer wrote:
> > Ray wote:
> > > I have no personal experience with it, but 'Squid' is a proxy
> > > that I have seen mentioned favourably again and again. YMMV...
> > Squid is best used as a caching proxy, but you need lots and lots of RAM.
> > Don't use it as a firewall/ip filter, iptables is much better.
> > YMMV
> > --
> > burns
> Don't use Squid as a firewall/ip filter? I didn't know it had the kind of
> functionality ....
Squid has access and authentication controls, plus a lightweight set of
filters... mostly to protect Squid itself and not a network. This has led
some people to use Squid as an ersatz firewall or router - it is neither and
really shouldn't be used as such. However, Squid's filtering capabilities
have been bolstered by an add-on, SquidGuard. According to the Squid site,
"SquidGuard is a free (GPL), flexible and ultra fast filter, redirector and
access controller plugin for squid. It lets you define multiple access rules
with different restrictions for different user groups on a squid cache.
squidGuard uses squid's standard redirector interface. " Nevertheless, I
still recommend using Squid as a caching proxy and using a firewall where you
want a real firewall.
> I've been using squid for about a couble of years now on my home lan.
> Since I'm on a 28.8 dial up connection, it really helps allot. I've never
> had a problem with it eating up ram on my firewall machine though. It
> works great for us, I've never had a problem a problem with it.
For the usage rates at your home, you probably wouldn't even notice it, Bill.
But its pretty well known that on an operational network of any size and
where there is a lot of demand, Squid eats up lots of RAM; how much depends
on how you have it configured and the nature of the traffic.
FWIW, it's generally considered a prudent practise to establish your firewall
on a separate box **out in front** of those that are hosting your other
services. Firewalls should be thought of as sacrificial. In effect, you have
no DMZ the way you have it setup. It's like putting the things you want to
protect out on the front line with your advance troops -- just a suggestion,
YMMV, of course.
More information about the OCLUG