>When using the CERN httpd as a proxy on the firewall, all connections
>to the proxy from within are to a single port. The proxy makes the
>outbound connection to the proper port on the foreign system.
>If run in daemon mode, it has its own access control. Unfortunately, it
>only lets you discriminate by domain or IP wildcard. This means that I
>cannot explicitly disallow my external subnet except by explicitely
>allowing each individual internal subnet, which would be a real drag
>with our class B network and 8-bit subnet mask.
What I'm doing is to run two proxy servers, one on the firewall which only
allows access to a second, internal one. This internal one can then be
configured a little more easily, as one doesn't have to worry about explictly
disabling external access (since the firewall already takes care of that).
So far it seems to work okay, although there are some problems yet with
the way clients work with the proxy server (although I'm not convinced that
I'm not creating some problems of my own with the way I've configured things).
For instance, Mosaic 2.4 doesn't support the "no_proxy" mechanism, so all
requests end up going through the proxy server, even if you could get to the
Joe Meadows meadowsj @
com or jem7049 @