Okay... Here is the situation. My home network incorporates a bunch of rather exotic computers: - A Windows 2000 desktop, which badly needs an upgrade and hopefully won't choke on Windows 7's grotesque commit charge - Several legacy Macintoshes running OS 9 or thereabouts, mostly useless for browsing - A few Linux machines And because I'm a compulsive experimenter, I've ditched Noscript on my netbook and am currently using Opera and Privoxy. I'm fairly impressed with the results; Hotmail for instance loads much faster, and I'm getting far fewer cookies. It's not as flexible or powerful as Noscript for JS blocking, but it seems to be quite good enough for my purposes. But Privoxy can be used as a server proxy (is that the correct terminology?). So I was thinking, instead of having a bunch of separate Privoxy sessions running on the machines that support Privoxy, maybe I could set up a dedicated computer as a proxy server, and consolidate all the filtering there. With the right configuration, that would offer a bit more security for the Windows and Linux machines, and probably make the Macs much more useful online. What's generally considered the best sort of setup for this? Starting with the basics: - I want a server setup that won't be compromised easily, and requires minimal maintenance. The server would definitely stay behind my NAT router, but even so... What OS do you think would be most suitable? I'm leaning towards a BSD... - Privoxy has a nice web interface, and all the users on my home network are trusted. Would it be reasonable to open up the web interface? - Would it be better to use Privoxy alone, or with a caching proxy? Also I was thinking of throwing in ClamAV (or possibly F-Prot, I think the UNIX version of that is freeware); it seems like a good idea to cover as many bases as possible re malware. What would be the most sensible way to deploy an antivirus this way? Also, I have to ask... If I'm going to go to all this trouble, would it perhaps be better to also integrate in a firewall, and just replace my NAT router? That might increase the attack surface; OTOH, I think using a PC as a router/gateway might allow me to scan *all* unencrypted traffic with ClamAV, not just HTTP. Speaking of which - what about encrypted traffic? I assume there's nothing to be done this way about malicious content transmitted over HTTPS, since it's only decrypted on the destination machines? Could this be a problem, seeing as fake antivirus websites are sometimes use "genuine" SSL certificates?