Re: IPCop for Small-Business Network: Web Proxy Usage
From: Charles Newman (charlesnewman1_at_nospam.comcast.net.do.net.spam.me)
Date: Sun, 19 Jun 2005 21:01:31 -0700
"Moe Trin" <email@example.com> wrote in message
> In the Usenet newsgroup comp.security.firewalls, in article
> <G-WdnfDdM4jdeinfRVnfirstname.lastname@example.org>, Charles Newman wrote:
> > Well, I recommend the T6212 becuase of the extremly low noise. I use
> >that as the gateway, and when it is the only machine on, you can hardly
> >hear it.
> Like most experienced admins, I _DON'T_ recommend such a system, as it's
> a waste of a useful system. Your home firewall only needs a clapped out
> piece of trash that has been thrown away by others because you don't run
> ANY applications on a firewall other than the firewall.
> >I have two different programs running HTTP and Socks Servers.
> Does Comcast permit that on a residential service?
For perosnal use, yes. I have to make sure that my
proxy cannot be accessed from thje outside, and
my firewall is configured to make sure that does not
happen. As long as my servers are not accessible
to anyone from the outside, it is OK. You are
allowed to run a home network, and have proxies
to handle the network, as long as you only allow the
machines on your network to be able to access them.
I am surprised I did not hear from Comcast, however,
when I tried CyBlock. It opened a security hole I did
not know was there, until I looked at the logs. If you
use the CyBlock web filtering program, be sure that
only the machines on your network can access it,
and also only allow CyBlock to go out to ports 80
and 443. Wavecrest needs to fix some serious security
problems with CyBlock. IF you use CyBlock as your
filtering program, better have Tiny Personal Firewall
on the same machine as well, to restrict both incoming
and outgoing access.
> >I have AllegroSurf, to handle routing, I have Tiny Personal Firewall, to
> >put the machines behind a firewall,
> Get a real operating system - both of those are built in to any *nix
> >and becuase I have had problems, in the past, with housekeepers who
> >bring their children with in, filtering, which is done by the old
> >freeware version of WebWasher, which ailso does HTTP filtering.
> Sounds like you have substantial security problems you haven't addressed.
My computer setup is quite secure. Since I replaced
ICS with AllegroSurf, my system is a LOT more
> >As far as controlling where users can go, I am just as secure as any
> >corporate filtering network.
> No, but that's because you don't understand how people configure
> >You can call my setup a toy firewall, if you like, but it can stop a lot
> >of things the hardware firewalls cannot.
> But you've already shown you don't understand even the fundamental
> of firewalls. How would you know what can or can not be done? You have
> experience with one, and don't even understand basic IP networking.
> you allow any packets of protocol 17 through your firewall? Do you even
> know where to look up the protocol number, much less know what it is, and
> where the protocol number is located in the packet header with respect to
> the destination IP address? What about protocol 6? Is it a good idea to
> block packets with the DNF or ECN bits set? Why?
Tiny Personal Firewall only controls by IP, port
number. and or program running on the machine.