Firewall Wizards mailing list archives
RE: Proxy firewall design.
From: Joseph Judge <joej () ultranet com>
Date: Thu, 12 Mar 1998 09:09:12 -0500
I get the urge to chroot things either into 1 big section, like that /fw or, if it makes sense, group proxies into a couple sections. "Makes sense" to me means that I may see risk from a range of one set of users different than another inside to outside proxies == employees versus outside-to-inside authenticated proxies == customers versus outside-to-inside public access proxies == off fellows I honestly can't see the gain from granularly chroot'ing each proxy server ...but I do see its value in general (so the fwtk non-support struck me as odd, also) -- joe On Tuesday, March 10, 1998 7:14 AM, Darren Reed [SMTP:darrenr () cyber com au] wrote:
A common theme amongst proxy firewalls running on Unix is to limit the exposure through use of chroot. How many of these segregate it further such that (say) the smtp proxy uses /fw/smtp, ftp uses /fw/ftp, etc ? I'm aware of chrooting used for WWW & mail, but I can't see why you wouldn't use it for all of them. For example, FWTK 2.0 doesn't support chroot for plug-gw or x-gw but it does for all the others. Of
course,
you might even chroot to /fw first, before running any of your proxies... Darren
Current thread:
- Proxy firewall design. Darren Reed (Mar 10)
- Re: Proxy firewall design. Bernhard Schneck (Mar 11)
- Re: Proxy firewall design. tqbf (Mar 12)
- <Possible follow-ups>
- RE: Proxy firewall design. Joseph Judge (Mar 12)
- Re: Proxy firewall design. Paul McNabb (Mar 12)
- Re: Proxy firewall design. Bernhard Schneck (Mar 11)