>> You may want to 'wrap' sendmail with smap from the firewall toolkit at
>> ftp.tis.com. And even though you are not going to offer any other services you
>> should still do logging (tcp_wrappers or netacl(from TIS)) and filesystem
>> checking (tripwire - coast.cs.purdue.edu).
>> As far as proxies you could use ip_masquarading, fwtk gateways, socks, CERN
>> http, or Harvest cached. CERN and Harvest both do caching on top of proxying.
>I am kinda curious about this.
>Has anyone try this configuration? (i.e. IP_MASQUERADE + TIS FWTK)
>First of all, if you wanna set up a firewall, it seems to be prudent to turn
>off ip_forwarding. All the faq's read, suggest turning on ip_forwarding
>Secondly, in a situation where httpd<->ProxyAwareWWWClient session is taking
>place through a proxy config, TIS FWTK assumes a set of ip addresses at
>the LAN end, and the traffic goes through the ports in the FW. So where
>should the ip_masquerade take place? My understanding on ipfw is that
>the ip addess conversion takes place between interfaces.
>Do I have this right?
Proxy agents, such as the ones with the fwtk, are considered application
gateways, while ipfw is packet filtering. ip_masq needs ip_forwarding on so it
can forward the packets, albeit with a different source address. Proxies do
not require that ip_forwarding be on because they listen for requests and
gather the information themselves, then passing it on to the client. Packets
are not forwarded though the box. If you use proxies you don't need ip_masq
and vise versa.
You need to decide which you want to use. IP_masq has some advantages, but its
my opinion that proxies are more secure since you can turn off ip_forwarding
and not have worry about too much. With ip_masq you have to turn on
ip_forwarding and then be very careful to get the rules correct and pray there
are no bugs in the code.
As for me - right now I'm using proxies, but I would consider changing once I
feel confortable with the code.