[ILUG] SuSE 9 proxy and packet filtering

[Anders Holm]

Chris Boyd said the following on 20/09/2005 11:18:
> Rather than setting the PIX to redirect traffic through the proxy I'm looking to set the proxy as default gateway and forward LAN traffic to PIX. 
> Do I need two NIC's for this as well? 

>>>>Niall O Broin <niall at linux.ie> 09/19/05 5:26  >>>
> 
> On 19 Sep 2005, at 16:27, Chris Boyd wrote:
> 
>>I've set up squid on SuSE 9 to filter internet traffic.
>>The server is behind a Cisco PIX firewall (515)
>>Can I then also enable packet forwarding and filter all traffic 
>>through the same server and set it as default gateway for all hosts on 
>>the network?
> 
> You could, provided you had iptables configured correctly on that box. 
> What exactly do you want to do? What do you mean by "filter all traffic 
> through"?
> Niall

I think that what you are trying to say is that you want to use the 
proxy server as the default gateway for all your networked hosts, and 
the PIX as the default gateway then for the proxy server, correct??

Then I'd ask.. Why? The PIX is there to allow you to protect your 
network, right? In doing the above you'll create a lot of extra 
headaches for yourself as your network grows, needs change and so on.

Let the firewall be your gateway to the world, as it is supposed to be. 
Put whatever systems you need to have accessible from the outside world 
inside a DMZ and let the rest sit where they are, on the internal network.

In this way you can accommodate specific rules for specific host, 
subnets whatever. Doing it your way, any rule you'd apply on the 
firewall for the proxy server would automagically apply for all your 
hosts on the internal network. Might not be what you'd want to do in all 
cases.

//Anders