Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Enforcing proxy use


On Thu, 21 Feb 2002, Glen Turner wrote:

> On Wed, 20 Feb 2002, Matthew Palmer wrote:
> 
> > On Wed, 20 Feb 2002, Richard Hayes wrote:
> > 
> > > A organisation has public access terminals connected to a Telstra cable 
> > > connection.  They use a Netgear router that  allocates a 192.168.0.x DHCP 
> > > address on every client login.
> > > 
> > > There is no filtering on the services.
> > > 
> > > Using Squidguard (or similar) how can you enforce using the proxy?
> > 
> > You can't.  Unless you can stop connections to port 80 to addresses outside
> > the local network, people can just connect to wherever they please.
> > 
> > Get rid of the Netgear router, and put a Linux firewall/router/DHCP server
> > in there instead.  If you're really squeezed for machines (can't afford a
> > 486?) then put the Squidguard machine in as the router.
> 
> But surely blocking outgoing port 80 is pretty much the requirement?
> 
>   eg:
>      interface Telstra0
>       access-group FORCE-PROXY out
> 
>      access-list FORCE-PROXY tcp permit eq 80 host web-proxy.example.com
>      access-list FORCE-PROXY tcp deny eq http any
>      access-list FORCE-PROXY ip permit any
> 
> Then people have to configure a proxy to get web access.
> 
> People can still run web traffic over other ports in this
> scenario.  So if you want to be super-sure then deny
> all outgoing traffic and proxy all application protocols
> through the web proxy machine (eg: have a DNS and e-mail
> forwarder).
> 
> This isn't particularly nice, as visitors need to configure
> their machines.  See if Netgear support WCCP and set
> up a transparent proxy.  With a kernel patch you can
> configure Squid on Linux to be a WCCP transparent web proxy
> server.

Think you're missing the point to some extent.

internet---[netgear-router]
                  |
              ____|____
             [___hub___]-------[linux / squid]
              |   |   |
             /    |   \
           ws1   ws2  ws3

In this setup above there's nothing *FORCING* the workstations to go
through the squid proxy.

internet---[netgear-router]
                  |
           [linux / squid]
                  |
              ____|____
             [___hub___]
              |   |   |
             /    |   \
           ws1   ws2  ws3

The above setup makes it possible with the same equipment but then the
setup below is just a lot simpler and more flexible which is why there's 
so many netgear's on Ebay one presumes.

internet---[linux / squid]
                  |
              ____|____
             [___hub___]
              |   |   |
             /    |   \
           ws1   ws2  ws3
            
-- 
---<GRiP>--- 
Web: www.arcadia.au.com/gripz 
Answering Machine/fax: 02 4950 1194 (wait 5 mins if no answer)
Mobile: 0408 686 201