Re: Integrating Squid in a firewall setyo

From: Tilman Schmidt <Tilman.Schmidt@dont-contact.us>
Date: Wed, 24 Mar 1999 15:12:50 +0100

At 10:06 23.03.99 +0100, Henrik Nordstrom wrote:
>Marc van Selm wrote:
>
>> You could integrate squid in a firewall setup (Is that wise?
>> I guess not.)
>
>Not unless the firewall can firewall itself (Squid). I would not
>recommend having the Squid ports open for external access in an firewall
>setup, even if protected by Squid acls.

In fact, I think it is quite reasonable to use Squid as the HTTP proxy
in an "application level proxy" type of firewall. If you block incoming
connections to the Squid on the external router there shouldn't be any
serious security concerns.

>The Squid developers do try to avoid known constructs which can easily
>lead to compromise, and any security related bugs are fixed with highest
>possible priority once found, but there has to my knowledge not been any
>serious security auditing of the Squid code.

I suppose this description would fit most of the code people *do* run on
firewalls.

-- 
Tilman Schmidt          E-Mail: Tilman.Schmidt@sema.de (office)
Sema Group Koeln, Germany       tilman@schmidt.bn.uunet.de (private)
"newfs leaves the filesystem in a well known state (empty)."
                                                - Henrik Nordstrom
Received on Wed Mar 24 1999 - 07:31:49 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:25 MST