Hey again Steve,
If you get REALLY stuck, grab a 486 / low end pentium, and simply run
junk buster on that - that way you can get away with stuff all in expenses,
and all you have to do is redirect requests to the junkbuster/486, and only
allow access to squid from the jb/486 machine ? considering all it will be
doing is acting as a data pump, you could quite easily get away with it -
worst case is that you'll have to get a p100 or something =]
Zak
> > What if you made squid run on a different port? i.e. you could
> > have it so that its set for 58347 (etc) and junkbuster talks to that -
> > alternatively - add a line to /etc/hosts.deny, denying all access to
> > port 3128, except for local host?
>
> The problem with the first solution is that there's still port
> <whatever> available for a wily user to attach to and get unfiltered
> access to the 'net. Making it a different port doesn't do much except
> stop a person from reading Squid docs to find out where it listens
> normally.
>
> The problem with the second idea is that Squid doesn't run through
> tcp_wrappers, so it ignores /etc/hosts.*. Running it through
> tcp_wrappers is NOT an option -- the performance hit would be horrible,
> I'd imagine...
>
> Thanks for the ideas, though. I _think_ I remember seeing a
> configuration option in squid.conf to limit who it listens to. Since
> all accesses should be from localhost, I think I can deny cache use to
> anything else. I'll give it a try and send my results to the list.
>
> --
> Steve Philp
>
>
> > ----- Original Message -----
> > From: Steve Philp <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, August 05, 1999 8:13 AM
> > Subject: [expert] Configuring Squid
> >
> > > Hello all!
> > >
> > > I'm having a problem that maybe someone here can help me with...
> > >
> > > I've setup a proxy server running Junkbuster and Squid for Internet
> > > access from our corporate network.
> > >
> > > Direct Internet access is forbidden by the router, allowing only
traffic
> > > which comes from the proxy server. Clients are expected to talk to
the
> > > Junkbuster proxy in order to reach the Internet (this allows us to
> > > filter and block extremely easily). The Junkbuster proxy talks to the
> > > Squid proxy to cache all requests.
> > >
> > > All of this is working fine, and I'm extremely happy with the "useless
> > > box in the closet" as it was known prior to its new Linux life.
> > >
> > > Our problem comes here:
> > >
> > > _IF_ our clients leave the proxy configured as we set it, they talk to
> > > Junkbuster and get filtered access to the net. However, they _could_
> > > change the port from 8000 to 3128 and talk to Squid instead, yielding
> > > unfiltered access.
> > >
> > > Does anyone know of a way to limit Squid so that it will only talk to
> > > Junkbuster? I'd like to simply throw an error page if someone tries
to
> > > talk to Squid directly.
> > >
> > > Any hints would be extremely appreciated!
> > >
> > > --
> > > Steve Philp
> > > Network Administrator
> > > Advance Packaging Corporation
> > > [EMAIL PROTECTED]
> > >
>
