From owner-freebsd-security Thu Nov 15 4:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5F00C37B41E for ; Thu, 15 Nov 2001 04:27:13 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA03933; Thu, 15 Nov 2001 04:27:00 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03931; Thu Nov 15 04:26:58 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fAFCQwC16372; Thu, 15 Nov 2001 04:26:58 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdD16360; Thu Nov 15 04:26:51 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fAFCQof21790; Thu, 15 Nov 2001 04:26:50 -0800 (PST) Message-Id: <200111151226.fAFCQof21790@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdm21781; Thu Nov 15 04:26:34 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Mike Tancsa Cc: anderson@centtech.com, freebsd-security@FreeBSD.ORG Subject: Re: NAT vs Application layer proxy In-reply-to: Your message of "Mon, 12 Nov 2001 09:22:20 EST." <5.1.0.14.0.20011112091952.06b2cb30@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Nov 2001 04:26:34 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <5.1.0.14.0.20011112091952.06b2cb30@marble.sentex.ca>, Mike Tancsa w rites: > At 08:24 AM 11/12/01 -0600, Eric Anderson wrote: > >What are some of the advantages/disadvantages of an > >application layer proxy server, versus a box running NAT > >with packet filtering on it (like ipfilter or IPFW)? > > Auditing is a big one. Also, you can do neat things like block NIMDA > infected sites with Squid. I've been playing with SquidGuard lately to filter web traffic based upon content, regexp matches within domainname, and network blocks. Many people at work with children have expressed interest, given that an old PC (who doesn't have an old PC lying around these days) running FreeBSD + IP Filter is all that is needed, not to mention one gets a firewall as a bonus. squidguard.org provides updates to the database. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message