SLUG Mailing List Archives
Re: [SLUG] Enforcing proxy use
- To: Matthew Palmer <mjp16@xxxxxxxxxxxxxxx>
- Subject: Re: [SLUG] Enforcing proxy use
- From: Glen Turner <glen.turner@xxxxxxxxxxxxx>
- Date: Thu Feb 21 16:18:02 2002
- Cc: Richard Hayes <nada@xxxxxxxxxxx>, <slug@xxxxxxxxxxx>
On Wed, 20 Feb 2002, Matthew Palmer wrote:
> On Wed, 20 Feb 2002, Richard Hayes wrote:
> > A organisation has public access terminals connected to a Telstra cable
> > connection. They use a Netgear router that allocates a 192.168.0.x DHCP
> > address on every client login.
> > There is no filtering on the services.
> > Using Squidguard (or similar) how can you enforce using the proxy?
> You can't. Unless you can stop connections to port 80 to addresses outside
> the local network, people can just connect to wherever they please.
> Get rid of the Netgear router, and put a Linux firewall/router/DHCP server
> in there instead. If you're really squeezed for machines (can't afford a
> 486?) then put the Squidguard machine in as the router.
But surely blocking outgoing port 80 is pretty much the requirement?
access-group FORCE-PROXY out
access-list FORCE-PROXY tcp permit eq 80 host web-proxy.example.com
access-list FORCE-PROXY tcp deny eq http any
access-list FORCE-PROXY ip permit any
Then people have to configure a proxy to get web access.
People can still run web traffic over other ports in this
scenario. So if you want to be super-sure then deny
all outgoing traffic and proxy all application protocols
through the web proxy machine (eg: have a DNS and e-mail
This isn't particularly nice, as visitors need to configure
their machines. See if Netgear support WCCP and set
up a transparent proxy. With a kernel patch you can
configure Squid on Linux to be a WCCP transparent web proxy
Glen Turner Network Engineer
(08) 8303 3936 Australian Academic and Research Network
The revolution will not be televised, it will be digitised