Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am redoing my network and I am adding another machine and it is going to be my firewall/router.
Cable Modem
|
|
VOIPModem
|
|
Linux-Firewall/Router- Server
|
|
Linux-SQUID proxy- Server
|
|
Dlink wireless router----------W2K Server
|
|
Windows 2k wireless clients
On the Squid Server, do I need to enable IP forwarding on that machine and then forward the packets to my Firewall server to be able to get my clients to the internet or do I only enable ip forwarding on just my Firewall?How do I route my ip packets to allow my clients to get to the internet. Before I had one machine doing it all. I have taken some of that payload off of the one server.
Last edited by metallica1973; 11-28-2005 at 07:32 PM.
i would not use the proxy as a hop, instead you would filter outbound port 80 traffic on the firewall and redirect it to the server. At the same time though, a single SmoothWall or IPcop box can do all those functions in one unit, and it'd be no biggy if you made your own standard distro firewall do the proxying too. but ultimately, i would not add an extra hop, that's not fun.
that is how I had it before. Isnt that too much for one machine to do, proxying and a firewalling? I wanted to lighten up the load on my main firewalling server. Will that extra hop slow things down or is it just more of a pain in the tookas?
Any machine made in the last 5 years, maybe even before that, should have no trouble with doing both the firewalling and proxying so unless you've actually monitored the performance on that machine and seen that its overloaded I wouldn't bother.
If you do want to split it out then its pretty simple. The firewall/router does NAT (so yes you enable IP forwarding) and the Squid proxy machine has the Firewall/router machine as its default gateway. The Win2k clients can only then access the net through the Squid proxy - they can't connect directly to the net. If this was your intention in doing this you can easily achieve the same by turning off IP forwarding and NAT on the existing combined firewall/proxy setup.
i wouldn't know if that machine is capable, as you didn't say how many clients there are... we're not psychic! like tkedwards said, it's probably safe to say yes it's fine, but IF you have +100 heavy net users behine it, then more likely not...
I upgraded my servers to kernel 2.6+ and I wanted to put my VOIP modem in its own DMZ off of my firewall. Can anyone give me some iptables rules to add to my firewall to allow udp ports 5060 UDP, 1020-1030 UDP, 13456-13463 to my DMZ where my VOIP modem is located. My DMZ will be on a 192.168.2.0 network. thanks
Last edited by metallica1973; 12-01-2005 at 02:56 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.