Hi, On 27 Mar 2001, at 7:44, Reckhard, Tobias wrote:
Huh? Get real, man, with that attitude you shouldn't connect anything to an untrusted network
the point is that even if someone exploits a firewall and got root permissions this person must be the smallest possible threat to the protected network. If you are logged in as root on a computer that acts as a firewall, you must not find any way to exploit the internal network: 1) there must not be a ftp client or other tools to download files to that computer, 2) there must not be access to a dns server mapping the protected network thus one must browse the log files to get an idea of the members of the internal network and make it as hard as possible to browse files (no editor), 3) all files should be read only or append only in multiuser mode so the boot structure cannot be manipulated 4) the firewall computer should not do anything but filter and forward traffic I do not know about squid, but I would put it on a computer behind the firewall. Even for a 100Mbit network connection any old pentium 100 (or mac, or sparc, or whatever) with some ram should be able to handle maximum possible load without problems. Given the fact, that such a computer will cost less than USD 100,-- so cost should not be the reason not to have it! mike