Hello, I have setup Squid (2.54stable)+IPChains on a Debian 3.0 box. We previously had a setup wherein the switch used to forward all port 80 traffic to my Squid box and pass the rest of the traffic to the router. This setup used to prevent usage of external proxies like ezboard.com, proxy.netsetter.com etc. (to prevent access to mail and entertainment sites) since we have defined a policy in our content filter.
Now we have moved the Squid outside of the "zone" of the switch and now the direct effect is that people are able to bypass my proxy and use the external proxies by using the browser proxy settings. Instead of the switch selectively forwarding port 80 requests, the Squid box now acts like a "router". So now a traceroute to an external IP address (like google.com) goes like 1 172.16.1.1 (LAN router) 2 172.16.1.10 (squid box) 3 172.16.1.5 (router to internet) 4 209.x.x.x (external IP's) 5 202.x.x.x (external IP's) .. .. etc. And before it used to be. [port 80 requests forwarded to 172.16.1.10] 1 172.16.1.1 (LAN router) 2 172.16.1.5 (router to internet) 3 209.x.x.x (external IP's) 4 202.x.x.x (external IP's) .. .. etc. Now my question is, how do i prevent users from accessing any external proxy servers ?. When they use my proxy+content filter, they can't access mail sites, whereas now they are using external proxies to access the same. Unfortunately i can't revert back to the "switch" configuration and am stuck with this "router" configuration. Can i setup a rule in IPChains to deny access to any "webserver" (i.e. proxy server) that doesn't originate from 172.16.1.10 ? (Dunno if that helps..). Is there any kind of ACL in Squid or firewall rule i can setup to counter this problem? I have googled around a bit and found that there is *no* way you can block access to external proxies (since the client directly contacts the proxy) Any pointers, docs, links, RTFM-ing tips welcome...... -- Praveen Kannan. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
