Local: Firewalling

Linux: Firewalling - Application Level Proxies

Version: 0.04 from 2001-06-05
Copyright 2001 by Peter Bieringer <pb@bieringer.de>, original site of publishing: http://www.bieringer.de/linux/firewalling/
Unlimited non-commercial distribution of this document in its entirety is encouraged - please contact the author prior to commercial publication.

Suggestions, comments and improvements are welcome!

Some hints about how to increase security using application level proxies.
This list will be never completed! Here are shown the ones I brought up to successfully productive working.

Squid
Junkbuster
jftpgw
named/BIND

Changes to

0.04 [2001-06-05]: Last update before going public

HTTP, HTTPS, FTPoverHTTP

Squid

URL: http://www.squid-cache.org/

Hints:

Make shure that the proxy is only reachable from internal! Otherwise with a misconfigured firewall it's possible to use the proxy from outside as relay to get information from inside. Best way to do that is to specify the listen address and block all requests from not internal IPv4 addresses like

# Specify listen address and port
http_port 192.168.1.1:3128
# Define IPv4 addresses of internal network and allow access
acl localnet src 192.168.0.0/255.255.0.0
http_access allow localnet
# Deny all other access
http_access deny all

Proxy chaining with junkbuster (configured for listen on IPv4 address 127.0.0.1 and port 8081)

# Define a forwarder for requests
cache_peer 127.0.0.1 parent 8081 0 no-query
# Define some domains which should not junkbustered
acl notjunkbustered dstdomain .atomfilms.com
always_direct allow notjunkbustered
# FTP isn't supported by junkbuster
acl FTP proto FTP
always_direct allow FTP
# For SSL it makes no sense to forward the requests to junkbuster
acl CONNECT method CONNECT
always_direct allow CONNECT
# But all other requests must be forwareded to cache_peer junkbuster
always_direct deny all

HTTP, HTTPS

Junkbuster

URL: http://www.junkbuster.com/

Hints:

Make shure that the proxy is only reachable from internal! Otherwise with a misconfigured firewall it's possible to use the proxy from outside as relay to get information from inside. Best way to do that is to specify the listen address like

listen-address 192.168.1.1:8081

Native FTP

For use with e.g. Ipswitch WS_FTP client

jftpgw

URL: http://www.mcknight.de/jftpgw/

DNS

named/BIND

URL: http://www.isc.org/products/BIND/

Hints:

Make shure that the named is only reachable from internal! Otherwise with a misconfigured firewall it's possible to use this named to resolve from outside queries about internal used information. Best way to do that is to specify the listen address like

# Listen for queries only on internal interfaces
listen-on { 127.0.0.1; 192.168.1.1; };

Your connection is via: IPv4
Your address: 3.17.162.247

www.bieringer.de
is maintained by
webmaster at bieringer dot de
(Impressum)

Linux: Firewalling - Application Level Proxies

Contents

HTTP, HTTPS, FTPoverHTTP

Squid

HTTP, HTTPS

Junkbuster

Native FTP

jftpgw

DNS

named/BIND