Proxy help w/Linux and one or two NIC cards?

Tom Metro blu at vl.com
Sun Jan 2 21:22:26 EST 2005 

Scott Ehrlich wrote:
> My network setup at home consists of a Linksys broadband gateway/router
> connected to Comcast and several machines branching off of it.
> 
> I thought I might be able to get away with one NIC.
> Also please educate if I still need two NICs...
>
> My internal addressing is static 192.168 for all machines, which include
> the two NICs in the proxy box.

I can't help you with Squid, but it sounds like you're off track with 
the two NICs.

In a traditional firewall setup, 2 NICs are used in order to physically 
isolate the two network segments - one being your LAN, and the other 
being the WAN. It is then up to the firewall's rules to decide what can 
pass from one interface to the other.

In your situation, the Linksys router is located in the traditional 
firewall position, straddling the two network segments. (Internally, it 
has the logical equivalent of 2 NICs.) So if your proxy machine is 
inside the LAN, I don't see any value in having two NICs.

The lack of isolation is further emphasized by your comment that both 
NICs have IP addresses on the same network segment.


> ...also found the firewall-howto which has indicated (reminded me) of
> the possible need for two NICs, so I scrounged and installed a second NIC.

You've probably seen a blending of concepts, because proxies are often 
installed directly on the firewall machine, which has 2 NICs.


> I have Debian Woody installed on one box, and port forwarding enabled on
> the Linksys to point to the Debian box to reflect the open incoming
> proxy port.

It isn't clear to me why you needed to open ports on the Linksys to 
provide access to the Squid proxy server, unless that machine is also 
serving up web pages to the public Internet. Typically, a proxy works by 
accepting a request from a client computer on your LAN, and then it 
relays that request to a server on the Internet. As the proxy initiates 
the request directed to the Internet, it should pass through a typical 
NAT router without requiring any special rules.

If you want to boost security, place the machine running the proxy in a 
DMZ, which is like a second LAN that the firewall keeps physically 
isolated from your real LAN. That way if your proxy machine is breached 
(say due to a vulnerability in Squid), the attackers can't get at 
machines on your LAN.

The effectiveness of a DMZ is largely dependent on the kinds of rules 
you create for what is permitted to/from the DMZ. In this case, you'd 
permit LAN traffic to send HTTP requests to your proxy server, and you'd 
permit the proxy server to send HTTP requests out the the Internet, but 
you'd deny any connections from the Internet to the proxy server.

That last bit is the reason why a DMZ is probably overkill for a proxy 
server. Servers that don't accept inbound connections are generally no 
more vulnerable to attack than client computers already on your LAN.

(On a side note, your Linksys router might have a feature labeled DMZ, 
but in my experience DMZ is an exaggeration when applied to consumer 
routers. They typically use the DMZ label to mean that they'll port 
forward all inbound traffic to a designated machine which is on your LAN 
and not isolated.)

  -Tom

More information about the Discuss mailing list