Hi,

I have a customer with a Linux router/firewall connecting his public internet IP with an internal 192.168.x.x network. Server is just forwarding packets, no masquerading is being used (clients can browse internet through proxy squid).

I know masquerading is the right way to go here, but I need to justify the decision to the client. I think that a routed network is a big security flaw because it doesn't hide information of the LAN, but I haven't been able to prove it accessing the internet servers from the outside.

Can you please shed some light?

Well you choose routing when you have an ip class on the inside of the network wich gets "routed" from and outside.
That means that they can connect to the outside world and the outside world can connect to them with no hassle ( and it`s easy ).
Obviosly this is not the case when you have a single ip address. ( you must masquerade/snat )
For example if you have a public ip class (NOT in the range of private space )
then you use routing.

By the way you can configure squid in transparent mode and everyone will go out thru squid with theyre own routeable ip address ( if you have ).

Well from what i can see in the picture ( guessing that the firewall has 4 NIC`s ) that is quite ok, but remember that anyone from a switch can see each other without going thru the firewall if they are in the same ip class.

Thanks naghi. Abouth the inconvenients of a routed network without a public IP range, apart of the fact that clients can't go out with non-proxyable protocols, is there any security concern (i.e. can anybody see my boxed from internet) ?

it is not a routed network without public ip range.
it is a NAT-ed network.
And no there are not that many security concerns if you do your firewall ok.
they *should* not see any of the internal computers. remember to nat then not to route them.
if your route them your isp will see al kind of data coming from them ( and reject them ).