On Tue, 2003-07-22 at 10:50, Hamish McBrearty wrote: > We've currently got a problem with girls bypassing our web filtering > system and connecting directly to our proxy server, a backdoor > deliberately left for certain applications. They are only able to do it > from the boarding house where some of them have their own laptops. The > boarding house is its own physical network, linked via a fibre optic cable > to the rest of our network.
Piece of Pilsner - tell the proxy server to only accept connections from your web filtering machine, plus whatever other IPs you want. Squid would do it with a chunk like this: acl boardernet src 192.168.123.0/255.255.255.0 acl servernet src 192.168.1.0/255.255.255.0 acl contentfilterbypassallowed src 192.168.55.0/255.255.255.0 http access deny boardernet http access allow servernet http access allow contentfilterbypassallowed http_access deny all If you're using MS Proxy you're screwed... theres no way to control access using MS Proxy - but I don't know about ICA server or whatever it evolved into. > Changing anything in the server setup is not really practical as some > applications need to talk directly to the proxy server and need to be hard > coded to do so. However, I can place something between the boarding house > network and the rest of the network. I was thinking an IP Cop firewall > which will allow all traffic from the boarding house thru except port > 8080. Will this work? Is there a better way of doing it? Messy - but it would work. Do you need the complexity of another box? You could consider a dedicated squid box for the boarding house complete... the boarders bring in a lot of extra money don't they? and spending some of it on their accommodation sounds reasonable. Are the boarders required to obey an acceptable use policy? Even if its their own computers? What about a local server in the boarding house to separate the school network from the less-school related boarders? Of course, you'd have to call it a border-boarder firewall/router :)
