Re: [squid-users] Massive problems with https connections to Domino Server (long)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 11 Feb 2004 09:03:52 +0100 (CET)

On Wed, 11 Feb 2004, vda wrote:

> Give me an example of some security measure which you
> can accomplish with squid but not with masquerading
> using iptables.

There is quite many.

a) The proxy will be able to apply rules on what is being forwarded, for
example rejecting worms etc from spreading outside your network should you
get infected.

b) You can also deny access to known insecure content.

c) If you integrate the proxy with a content filter or virus scanner then
things get really interesting.

> Exactly. Right now, you triggered a DoS with IE bug (or maybe it's
> a squid bug? we are not 100% sure). But any user can do the same with
> very simple tools like netcat and/or stunnel. You have to make it
> impossible if you want a rock stable system.

Actually Squid can help here.. see the max_conn ACL.

and yes, iptables has a similar control.

Regards
Henrik
Received on Wed Feb 11 2004 - 01:04:38 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST