DocNsane Squid Question

[Catalyst22]

I'm thinking about building a squid box, and you sound like the linux guru I wish I was

I had some basic questions that I thought you might be able to answer faster than I could find them in the documentation.

I understand that you sit your squid box between your router and the internet or between two routers. How do you secure your squid box? Does it setup as some kind of passive port 80/21/22/443 passthru? Is there any security concerns I should have running one? If it is on the far side of my router then my network is not at jeopardy, but I would rather not have to rebuild a config'd squid box that some hacker got into.

I enjoy doing linux but I sure could use someone to call on that has used it in a corporate environment. I got some Unix guys that I call on from time to time, but they aren't very versed in utilizeing Unix for web serveing or complex security for Linux.

any help will be appreciated.

[Burzum]

At the risk of sounding like a noob...

What is a squid box?

[Catalyst22]

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process.

Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.

Squid supports SSL, extensive access controls, and full request logging. By using the lightweight Internet Cache Protocol, Squid caches can be arranged in a hierarchy or mesh for additional bandwidth savings.

Squid consists of a main server program squid, a Domain Name System lookup program dnsserver, some optional programs for rewriting requests and performing authentication, and some management and client tools. When squid starts up, it spawns a configurable number of dnsserver processes, each of which can perform a single, blocking Domain Name System (DNS) lookup. This reduces the amount of time the cache waits for DNS lookups.

My intent is to run a Squid box with Squid Guard in order to restrict access to specific resources on the interweb and track access from the computers in my pre-k classrooms.

My secondary goal is to force internet access across my DSL connections to be directed thru a proxy server in order to manage access from a central location. Currently I have each Zywall router setup for content filtering. This is a pain, so I'm trying to get more granular on my control. I am teh interweb nazi

[Deleted User]

How do you secure your squid box?

I've never set up a proxy server, but I'd assume it'd be like running any other server under linux. Do you know if you're going to need to multi-home the box (2 ethernet cards)?

You'll probably just need to setup a firewall and tweak it a bit. In which case, you'll just need to find an easy to use linux firewall script (most likely for IP Tables if you're using a modern kernel). SuSE linux comes with a decent script as part of the distribution (just edit a straightforward config file and it sets almost everything you need up for you), but there are pleanty that come up on google (I've mostly been using SuSE for my firewalls for the last 4 years or so, though, so I'm not too familiar with the multitude of other scripts).

You'll pretty much just want to set things up so that your internal subnet has the ability to connect to the machine but the outside world should only be able to respond to estabilished connections.

[Campsalot]

I wouldn't run your firewall on your squid box. The firewall should be its own animal, for security reasons.

[Deleted User]

I wouldn't run your firewall on your squid box. The firewall should be its own animal, for security reasons.

technically true. if you've got a real firewall, just put the squid box behind it and its default-deny stuff should protext the squid box just fine. or get something cheap and use it to do your firewall/masquerade.

but some people just can't afford the extra boxes/ups/etc and most router/firewall combos that come with DSl/etc. just plain suck, so it doesn't hurt to add a firewall to the squid box, since all it really will be is like 3 iptable statements.

[Catalyst22]

Currently my network allows 0 inbound traffic. I have an external IP on the DMZ port and its own subdomain. This ip hosts my warftp server. I'm thinking what I will prob do is just drop one of my spare zywall 10II's in front of my squid box... However... I may not need any real firewall outside of my Zywall 70 since the Squid box will filter from inside my firewall? For some reason I keep thinking it has to sit between my firewall and the interweb... Actually all I have to do is setup the proxy in server 2k3 to point to my squid box right? So my existing firewall will suffice and I need not have outside access to the squid.

[Deleted User]

once again... I''ve never set up a proxy box, but I can't imagine why the proxy server would require unrequested inbound traffic. So, I imagine that it could sit behind your existing firewall. It should just take internal requests (set your browser/whatever to point to squid box); then check its cache to see if it already has it, and if not run out and get it on its own copy that it will forward back to the requesting client.

[Deleted User]

hehe... Set up a few of these, and squidguard sucks.

Use dansguardian,http://www.dansguardian.org it's MUCH MUCH better, and if the box has any power whatsoever, you can also have it filter out virii and spyware. Set this up at the school system that I used to work at and it works great. Feel free to shoot me Q's in email if you would like, you know how I am a bit lax about checking in the forum all the time.

There are multiple ways that you can accomplish what you are wanting, and unfortunetely, it's not a lot like most other services in linux - especially if you want the proxy job to be done transparentally. I'm happy to help, but to be of much help I would need some more detailed information about your setup and what you want to accompllish. Just let me know

diamond

[DocNsane]

Due to the lack of my replying, I think it's obviously I have no idea how to setup a squid box. I've never had a need to personaly.

[Catalyst22]

Diamond,

I have a Dual p3 733 box running Redhat 9 that is a clean minimal install. It also has 512Mb RAM and 3 9Gb SCSI drives RAID 1 +Hot Spare.

I intend to use this box, but the Squid project is on hold until I get my supermicro server up and running. Still stuck on the Hostname/Kernel patch bug. Hope to have a solution for this soon as I have pulled out all my hair and now keep it in a shoebox next to another shoebox so I can pull it out again and put it in the other shoebox.

[pyrox420]

Use dansguardian,http://www.dansguardian.org it's MUCH MUCH better, and if the box has any power whatsoever, you can also have it filter out virii and spyware. Set this up at the school system that I used to work at and it works great. Feel free to shoot me Q's in email if you would like, you know how I am a bit lax about checking in the forum all the time.

Quoted for truth. I've setup 3 dansguardian boxes and it's much better than what you plan on doing. The interface is much nicer too...

[Catalyst22]

I'll use it then I just haven't researched it much yet.

Do any of you guys use Suse? If so, do you know anything about this patch?
http://support.novell.com/cgi-bin/searc ... b9ffa.html

After I apply this security/kernel patch the system no longer sees my SATA drives /dev/sda2

SATA drives BIOS Software RAID.