Zak McKracken wrote:
>
> Hey Steve,
>
> What if you made squid run on a different port? i.e. you could
> have it so that its set for 58347 (etc) and junkbuster talks to that -
> alternatively - add a line to /etc/hosts.deny, denying all access to
> port 3128, except for local host?
The problem with the first solution is that there's still port
<whatever> available for a wily user to attach to and get unfiltered
access to the 'net. Making it a different port doesn't do much except
stop a person from reading Squid docs to find out where it listens
normally.
The problem with the second idea is that Squid doesn't run through
tcp_wrappers, so it ignores /etc/hosts.*. Running it through
tcp_wrappers is NOT an option -- the performance hit would be horrible,
I'd imagine...
Thanks for the ideas, though. I _think_ I remember seeing a
configuration option in squid.conf to limit who it listens to. Since
all accesses should be from localhost, I think I can deny cache use to
anything else. I'll give it a try and send my results to the list.
--
Steve Philp
> ----- Original Message -----
> From: Steve Philp <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, August 05, 1999 8:13 AM
> Subject: [expert] Configuring Squid
>
> > Hello all!
> >
> > I'm having a problem that maybe someone here can help me with...
> >
> > I've setup a proxy server running Junkbuster and Squid for Internet
> > access from our corporate network.
> >
> > Direct Internet access is forbidden by the router, allowing only traffic
> > which comes from the proxy server. Clients are expected to talk to the
> > Junkbuster proxy in order to reach the Internet (this allows us to
> > filter and block extremely easily). The Junkbuster proxy talks to the
> > Squid proxy to cache all requests.
> >
> > All of this is working fine, and I'm extremely happy with the "useless
> > box in the closet" as it was known prior to its new Linux life.
> >
> > Our problem comes here:
> >
> > _IF_ our clients leave the proxy configured as we set it, they talk to
> > Junkbuster and get filtered access to the net. However, they _could_
> > change the port from 8000 to 3128 and talk to Squid instead, yielding
> > unfiltered access.
> >
> > Does anyone know of a way to limit Squid so that it will only talk to
> > Junkbuster? I'd like to simply throw an error page if someone tries to
> > talk to Squid directly.
> >
> > Any hints would be extremely appreciated!
> >
> > --
> > Steve Philp
> > Network Administrator
> > Advance Packaging Corporation
> > [EMAIL PROTECTED]
> >
