On Sun, 22 Aug 1999, Steve Philp wrote:
> Thanks for the tips. I've printed them out to ponder over a cup of
> coffee. I'll be putting a few more lockdowns on the machine on Monday.
>
> Primarily, I'm not concerned with the internal network. The router is
> setup to deny all Internet packets from inside that don't come from the
> proxy machine. I've got junkbuster setup to only allow access to about
> 5 "approved" sites (default deny is a wonderful thing!). Squid is setup
> to allow a select few to connect to it directly (mostly IS and executive
> level -- those are assigned static IPs while the rest of the place is
> DHCP), any other attempts at direct connections to Squid are sent
> packing.
>
> I'm mostly worried about closing up avenues to go from the .4.x machine
> to the .3.x network. If (god forbid) that web/email machine gets
> cracked, I want there to be very little possibility of getting into the
> internal network. I suppose I could setup rules that only allow packets
> originating from the 4.x machine and coming from ports 3128 and 8000
> (squid, junkbuster) and to allow packets originating from inside on a
> couple IPs.
something like
ipchains -A input -s 192.168.3.0/24 -d 0/0 -j DENY -l -b
ipchains -A output -s 192.168.3.0/24 -d 0/0 -j DENY -l -b
that should pretty much throw a wrench into things, and you'll need to
make a hole for the proxies.
> Thanks again for the explanation of the IP chains stuff.
>
>
--
MandrakeSoft http://www.mandrakesoft.com/
--Axalon
