[oclug] Linux as a Caching Proxy and Firewall

burns burns at burnsmacdonald.com
Sat Mar 23 22:56:34 EST 2002 

On March 23, 2002 10:34 am, Bill Omer wrote:
> > Ray wote:
> > > I have no personal experience with it, but 'Squid' is a proxy
> > > that I have seen mentioned favourably again and again.  YMMV...
> >
> > Squid is best used as a caching proxy, but you need lots and lots of RAM.
> > Don't use it as a firewall/ip filter, iptables is much better.
> >
> > YMMV
> >
> > --
> > burns
>
> Don't use Squid as a firewall/ip filter?   I didn't know it had the kind of
> functionality ....
>

Squid has access and authentication controls, plus a lightweight set of 
filters... mostly to protect Squid itself and not a network. This has led 
some people to use Squid as an ersatz firewall or router - it is neither and 
really shouldn't be used as such. However, Squid's filtering capabilities 
have been bolstered by an add-on, SquidGuard. According to the Squid site, 
"SquidGuard is a free (GPL), flexible and ultra fast filter, redirector and 
access controller plugin for squid. It lets you define multiple access rules 
with different restrictions for different user groups on a squid cache. 
squidGuard uses squid's standard redirector interface. "  Nevertheless, I 
still recommend using Squid as a caching proxy and using a firewall where you 
want a real firewall.

> I've been using squid for about a couble of years now on my home lan. 
> Since I'm on a 28.8 dial up connection, it really helps allot.   I've never
> had a problem with it eating up ram on my firewall machine though.   It
> works great for us, I've never had a problem a problem with it.

For the usage rates at your home, you probably wouldn't even notice it, Bill. 
But its pretty well known that on an operational network of any size and 
where there is a lot of demand, Squid eats up lots of RAM; how much depends 
on how you have it configured and the nature of the traffic.

FWIW, it's generally considered a prudent practise to establish your firewall 
on a separate box **out in front** of those that are hosting your other 
services.  Firewalls should be thought of as sacrificial. In effect, you have 
no DMZ the way you have it setup. It's like putting the things you want to 
protect out on the front line with your advance troops -- just a suggestion, 
YMMV, of course.

-- 
burns

More information about the OCLUG mailing list