Slide 4 of 17
The web proxy should be outside BSDnet and all inside browsers confured to
use it. That way the ACLs can include a narrowly defined 'permit' rule
for TCP connections to port 80 of the web proxy. The problem with the web
proxy on the inside is that the rule would have to allow tcp out to
anywhere on any port with the only restriction being 'from the proxy'. John
did some testing and found that the Netscape 3.01 browser can be
configured to use the CERN server as a proxy. Can
Netscape server be configured to act as a proxy?
There should probably be one or two slave-mode DNS servers in BSDnet,
with the filters restricting DNS traffic to only those servers. Sage
could be so configured; don't know about NT.
Similarly, there may be some value to having one or two NTP servers
inside the bsd firewall and restricting cross-firewall NTP traffic