Assuming the requirement doesn't get withdrawn (it's a pretty evil one, I
haven't seen any company large or small attempt to do that) then the
least-pain way to implement it is probably with a proxy, just because you
probably don't want to be managing that large and changeable a packet filter
rules base.
I have trouble picturing a setting where I'd implement something like this,
rather than just leaving, but that aside, I'd probably vote for running an
http proxy on the firewall. Squid is well-loved and used by many, it might
make a good starting point. There are other http proxies of course.
If you can reconfigure all your clients to explicitly name your firewall as
their proxy host (this is supported by every web browser I know of today) then
you're done, it's that easy. If you can't, then you can still weasel around
and use a proxy with the Transparent Proxy stuff in ipchains. Haven't done
that myself but the docs claim that it's possible. It's even supposed to be
easy:-). That hacks by having the kernel (in the ipchains bits) snaggle all
packets sent for e.g. port 80 anywhere out there in the big world, and shove
'em all into the local proxy. To work it requires that the local proxy some
how pick up on the various intended destination ports for all these packets.
-Bennett
PGP signature
