[KLUG Members] choice of i-filter/firewall/squid box

[Bert]

J.A. Sarma wrote:

>I am asking for some guidance on a choice of /firewall/squid/& internet web
>filtering/ for a small school lab environment.  There is already a Windows
>2000 server and a separate Printserver locked in place, along with WinNT
>boxes for teacher access.
>
>There have been many positive responses with a tryout of an LTSP & thin
>client setup.  Now there is a requirement to install a box between the
>broadband cable modem and the rest of the school's internal LAN to filter
>Internet access.
>
>My first choices have been a second box with an LTSP install with
>squid/squidguard/shorewall and two ethernet NIC's.  Other possibilities are
>a box with Devil-Linux, if I can run squid and squidguard on it.  There
>might be other suggestions.
>
>Recommendations, Anyone?
>  
>

I would probally never run a proxy on a LTSP box, although the idea 
might be good if your box has enough memory and you mount the cache on 
memory. It should be a very fast proxy...  Drawback is if you bring it 
down you would loose all your cache.

I would definitly use two boxes, both installed for there purpose. I run 
a squid proxy on a box that is holding just enough to run the proxy. I 
build the firewall (iptables) the same way: only installed packages that 
needs to be there to run. What aint there can't be misused by hackers or 
any body else for that matter.  I do not use any tools to edit the 
firewall rules other than vi, which all needs to be done on the console 
because no network logon to the box is possible (not installed).
Starting point was a standard SuSE distro, leading to an install of 
about 300MB.

My 2 cents here are that I think that any box that is a gateway between 
you and the internet should be as lean and mean as possible and only 
surving one purpose and one purpose only.
BTW place your proxy in a DMZ controlled by the firewall, never parallel 
to you firewall.

Bert.