Dave J Woolley wrote:
> Squid is probably too complex to safely install on a
> firewall machine.
It depends. Using the right tools almost anything can be installed on
the a firewall machine, provided the machine has the muscles needed to
run them all.
When installing Squid on a firewall machine a few extra things should be
done, compared to the average install:
a) tcp_incoming_address should be used to make sure Squid only binds to
the internal interface.
b) chroot_dir should be used to cause Squid to chroot itself to a safe
directory, and then fully drop all traces of root privilegies
c) the chroot environment should be as minimal as possible. Absolutely
no UNIX shell or other useful tools
d) The firewall must be able to protect itself, so connections cannot be
initiated from the firewall to places it shouldn't connect to.
A side note: Given how easy it is to get the average user to
unsuspectingly run a binary exe file sent by email, I would almost say
that most of the firewall issues are moot. If you have users who can
surf the Internet and execute unknown files, then it is quite easy for
an attacker to bounce off this user and establish a full duplex network
connection thru any firewall. The hardest part is the social engineering
required to make it work. The eventual program coding involved is
trivial. Excersise left to the reader.
The bottom line is: Don't overly trust your firewall.
-- Henrik Nordstrom Squid hackerReceived on Thu Feb 10 2000 - 15:57:19 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:10 MST