On Sun, Nov 13, 2005 at 03:13:35PM -0600, Harry Putnam wrote: <big big big snip of things I can't answer for you> > I'm wondering now if there is a way to do something like setup a squid > proxy on the gentoo and somehow force any attemts to go online from the > 3 isolated mchs, toward it?
Two ways exist (AFAIK) of using squid: 1) Run it as a proxy server. In the Internet Options for your web browser, you point the proxy toward the proxy server. You submit a request, it gets relayed to the internet, the response comes back, squid passes it backs to your computer. 2) Run it transparently on the _router_. This is the important part: on the router, you can force all traffic intended for HTTP traffic to go through squid. There are many howtos on the web detailing how this work, so I will not go into details and only say that it involves intercepting the traffic halfway with iptables and pass them to squid. Clearly, 1 cannot be forced: if you just unset the proxy setting from the web browser, your computer will connect to the internet directly. 2 cannot be implemented in your case, since it requires that internet-bound traffic must pass through your gentoo box. If you try to forward all traffic from the router toward your gentoo box, you get an infinite loop since the gentoo box is behind the router. > > Someone already mentioned squid and said it could not be forced but not > sure I understood what that meant. > > But also if I were to set the gateway which is now the NETGEAR router, > to the gentoo box, wouldn't all outgoing traffic automatically head for > the gateway? Would they really need to be wired to a second nic? Yes... theoretically. But as far as I can see it, 1) The complexity of that setup will be at least as large as setting up a custom, dedicated gentoo/openbsd box as a firewall. 2) It can be circumvented trivially by setting the gateway manually to your netgear router. Having a second NIC makes the circumvention method of 2 is not possible. > My feeble understanding of setting a default gateway is that it then > becomes the only route used without setting static routes in the routing > table of the winboxes. Yes, but default gateway can be changed on the fly. Since you expressed doubts about the reliability of third party firewall software, I don't think you would be terribly comfortable with the idea of a protection method that can be trivially by-passed on the software level. W -- 3.1415926535897932384626433832795028841971693993751058209749445923078164062862 089986280348253421170679821480865132823066470938446095505822317253594081284811 174502841027019385211055596446229489549303819644288109756659334461284756482337 Sortir en Pantoufles: up 1 day, 13:38 -- gentoo-user@gentoo.org mailing list
