|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Squid VS IPchains..
|
On Mon, 31 Jul 2000, Michael W. Ryan wrote:
> On Mon, 31 Jul 2000 DrexelDG@aol.com wrote:
>
> > What is the difference there?
> >
> > I know squid is a proxy... and provides a connection to the net.. but doesnt
> > IP Chains do the same thing?
>
> Squid provides application-level proxying, while IPChains performs
> packet-level filtering. Think of it this way: Squid handles "I want to
> do this activity at this site", while IPChains handles "I want to send a
> tcp/udp/icmp packet from this address & port to this address & port.
>
To take this definition furthur, lets look at an example. As was said,
ipchains is a packet-filtering (and redirecting too) application and squid
is a proxy. Now let's say you've got a network set up with a gateway
machine which has a direct connection to the internet and behind that
you've got several workstations. You want to secure this network so you
setup ipchains on the gateway machine to block anyone from the the outside
world from getting into your network (with some exceptions as
needed). Then, for whatever reason, you dont want to allow the local
machines to get to internet so you add some rules to ipchains to
accomplish this.
Now everything is good but your users are complaining
because they cant browse websites. You'd like to give them the ability to
do this, but to do so you would have to let traffic flow back and from
from internet sites and workstations on your lan (albeit only on certain
ports). This is where squid comes in. Rather than open up your firewall
(which is basically what ipchains provides) you can setup squid on the
gateway machine and allow http traffic to and fro from the internet to the
gateway machine. Then you setup the webbrowsers on the workstations to use
the gateway machine as a proxy server. Workstation wants to see
www.yahoo.com, gateway machine (running squid) says "Ok, I'll go get that
for you and bring it back here". So now the workstations on your isolated
lan can browse the web without actually having to have access to the
outside world. Users are happy, sysadmins are happy. Management might be
happy too as now they can easily see what their employees are looking up
but that's a different issue. ;)
Oh yea, one more thing to mention. You can avoid having to configure each
browser on each workstation by using ipchains to accomplish what's called
"transparant proxying". Basically, you tell ipchains on the gateway
machine to redirect any outgoing traffic on port 80 to whatever machine
you have squid running on. It's not hard to do and I'll leave it to the
squid docs to explain how to configure it.
*whew*, this got somewhat long. Hope I've helped to answer your question.
mg
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|