RE: Proxy firewall design.

[Joseph Judge <joej () ultranet com>]

I get the urge to chroot things either into 1 big section, like that 
/fw
or, if it makes sense, group proxies into a couple sections.

"Makes sense" to me means that I may see risk from a range of
one set of users different than another
inside to outside proxies == employees versus
outside-to-inside authenticated proxies == customers versus
outside-to-inside public access proxies == off fellows

I honestly can't see the gain from granularly chroot'ing each proxy
server ...but I do see its value in general (so the fwtk non-support 
struck
me as odd, also)

        -- joe

On Tuesday, March 10, 1998 7:14 AM, Darren Reed 
[SMTP:darrenr () cyber com au] wrote:
> A common theme amongst proxy firewalls running on Unix is to limit
> the
> exposure through use of chroot. How many of these segregate it
> further
> such that (say) the smtp proxy uses /fw/smtp, ftp uses /fw/ftp, etc ?
> I'm aware of chrooting used for WWW & mail, but I can't see why you
> wouldn't use it for all of them.  For example, FWTK 2.0 doesn't
> support
> chroot for plug-gw or x-gw but it does for all the others.  Of 
course,
> you might even chroot to /fw first, before running any of your
> proxies...
>
> Darren