Transparent Firewall with squid/dansguardian

richinsc · 02-23-2010, 09:40 PM

I am posting this in security because it is firewall related. I am looking to redesign my network which I'll get into bellow but basically i am looking to setup an transparent/bridged firewall with squid and dansguardian. However, I want to require LDAP authentication to access internet. You'll understand why from diagram below.

My question is, since bridged firewalls operate at layer 2 and have no/require no IP address, can you access higher layered apps with them? Example would be to have the proxy authenticate to LDAP system to check for valid user and valid net permissions, server has to somehow send a reply back, so without an IP, this can't happen right.

Below are two designs I am looking into implementing. Everything Internally will be Authenticated against LDAP with a small possibility of some public servers using LDAP too, but in my way of thinking anything using LDAP would should be behind the router on private link. FYI, the PROXY and the Linux Router would be two physically separate systems.

So I guess my second question would be, can systems outside private network access limited internal services securely and be restricted at the same time?

I think I have everything I needed to ask but if I think of something else related to this I'll post in reply if it concerns app/firewall question.

Code:

Option 1:
                        (TRANSPARENT)
------------            -------------
| CBL MODM | ---------> | PROXY/FW  |
------------            -------------
                              |
                              |{PUBLIC)
                              |
   ----------            --------------           ---------
   |  DMZ    |<----------| LNX ROUTER |---------> | WI-FI |
   ----------            | W/FIREWALL |           ---------
                         --------------
                                |
                                |(PRIVATE)
   ---------------              |                ---------------
   | LDAP SERVER |<----------------------------> | VPN / WikId |
   --------------                                ---------------


Option 2:

                        (TRANSPARENT)
------------            -------------
| CBL MODM | ---------> | PROXY/FW  |
------------            -------------
                              |
                              |{PUBLIC)
                              |
   ----------            --------------           ---------
   | SERVER |<---------- |  SWITCH    |---------> | SERVER |
   ----------            --------------           ---------
                               |
                               |
                         --------------           ---------
                         | LNX ROUTER |---------> | WI-FI |
                         | W/FIREWALL |           ---------
                         --------------
                                |
                                |(PRIVATE)
   ---------------              |                ---------------
   | LDAP SERVER |<----------------------------> | VPN / WikId |
   --------------                                ---------------

OdinnBurkni · 03-01-2010, 03:13 AM

Hi.
I'm not sure if this will answer your question and I don't know how experienced user you are. I've tried ClearOS and I like it in many ways. It supports many nics and I would rather go for one box if possible. In ClearOS you have web based interface to config things but you can also do it in CLI. It's based on CentOS if I remember it right. If you're more experienced user you could also just use clean Linux installation, CentOS or Ubuntu or whatever you prefer, and use f.ex. iptables to handle the security and determine who's allowed to go where...

I hope it helps...

Winanjaya · 03-01-2010, 03:47 AM

Mine looks simple: ;< )

PIX Firewall -> Internet Router -> Squid (Transparent Proxy) + IPTables, Internal DNS, Mail, LDAP ---> Users

Squid Gateway: to PIX Firewall

Users Gateway: to Squid
User DNS: to Internal DNS

I also do NAT for some virtual servers (ie. www, POP3, SMTP Auth)

Thanks & Regards
Winanjaya

Winanjaya · 03-01-2010, 03:48 AM

I also had WIFI and its gateway to Squid and also had DHCPD server (gateway also to Squid)

OdinnBurkni · 03-01-2010, 03:59 AM

I like the way Winanjaya does it. It's fairly easy to implement. Regarding the iptables, I use a script for that so it's easier (well at least it is for me) to configure. I can dig up a template of that script if you're interested, or you might be able to find it in some of my posts here on LQ, I've shared once or twice.