Zak McKracken wrote:
>
> Hey again Steve,
>
> If you get REALLY stuck, grab a 486 / low end pentium, and simply run
> junk buster on that - that way you can get away with stuff all in expenses,
> and all you have to do is redirect requests to the junkbuster/486, and only
> allow access to squid from the jb/486 machine ? considering all it will be
> doing is acting as a data pump, you could quite easily get away with it -
> worst case is that you'll have to get a p100 or something =]
I've taken the advice from Bug Hunter in a previous mail and modified
the configuration of Squid to only accept requests from localhost. So,
that little problem is out of the way.
Thanks for the 486 idea though! We've got a pile of them sitting in the
corner just WAITING for a use... Linux might be their salvation. Maybe
a nice closet cluster? :)
> > > What if you made squid run on a different port? i.e. you could
> > > have it so that its set for 58347 (etc) and junkbuster talks to that -
> > > alternatively - add a line to /etc/hosts.deny, denying all access to
> > > port 3128, except for local host?
> >
> > The problem with the first solution is that there's still port
> > <whatever> available for a wily user to attach to and get unfiltered
> > access to the 'net. Making it a different port doesn't do much except
> > stop a person from reading Squid docs to find out where it listens
> > normally.
> >
> > The problem with the second idea is that Squid doesn't run through
> > tcp_wrappers, so it ignores /etc/hosts.*. Running it through
> > tcp_wrappers is NOT an option -- the performance hit would be horrible,
> > I'd imagine...
> >
> > Thanks for the ideas, though. I _think_ I remember seeing a
> > configuration option in squid.conf to limit who it listens to. Since
> > all accesses should be from localhost, I think I can deny cache use to
> > anything else. I'll give it a try and send my results to the list.
> >
> > --
> > Steve Philp
> >
> >
> > > ----- Original Message -----
> > > From: Steve Philp <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Thursday, August 05, 1999 8:13 AM
> > > Subject: [expert] Configuring Squid
> > >
> > > > Hello all!
> > > >
> > > > I'm having a problem that maybe someone here can help me with...
> > > >
> > > > I've setup a proxy server running Junkbuster and Squid for Internet
> > > > access from our corporate network.
> > > >
> > > > Direct Internet access is forbidden by the router, allowing only
> traffic
> > > > which comes from the proxy server. Clients are expected to talk to
> the
> > > > Junkbuster proxy in order to reach the Internet (this allows us to
> > > > filter and block extremely easily). The Junkbuster proxy talks to the
> > > > Squid proxy to cache all requests.
> > > >
> > > > All of this is working fine, and I'm extremely happy with the "useless
> > > > box in the closet" as it was known prior to its new Linux life.
> > > >
> > > > Our problem comes here:
> > > >
> > > > _IF_ our clients leave the proxy configured as we set it, they talk to
> > > > Junkbuster and get filtered access to the net. However, they _could_
> > > > change the port from 8000 to 3128 and talk to Squid instead, yielding
> > > > unfiltered access.
> > > >
> > > > Does anyone know of a way to limit Squid so that it will only talk to
> > > > Junkbuster? I'd like to simply throw an error page if someone tries
> to
> > > > talk to Squid directly.
> > > >
> > > > Any hints would be extremely appreciated!
> > > >
> > > > --
> > > > Steve Philp
> > > > Network Administrator
> > > > Advance Packaging Corporation
> > > > [EMAIL PROTECTED]
> > > >
> >
