On Thu, 2002-03-07 at 11:06, Josh Frick wrote: Thank you. That's what I had suspected. NAT is NAT, right? I'm trying to build a multi-layered approach. Currenlty it's two Coyote (IPchains) Firewalls in front of Squid/Socks. This does prevent direct connections to my clients, which I had assumed was more secure than otherwise, but I wasn't sure if that was meaningful. My clients and the Squid/Socks box are not reachable by the gateway. Only the choke, which will be reconfigured (by way of a crossover-cable) to be connected only to the Squid/Socks box. I just wanted to know if this was any better than simply adding a third IPchains box.
Something to be aware of is that having two firewalls of the same flavour will not buy you any more security. If a crack/exploit works on one then it will work on the other. Try replacing one of them with another OS and firewall solution. Adding a third ipchains box will give you as much protection as adding a piece of wire. Where a proxy is extremely useful is being able to inspect (and correct or reject) the data it receives before it gives it to the client machine. That is you can plug a virus scanner into squid, remove active x, etc. -- Regards Simon