I would guess from Terry's question that he hasn't realised the obvious flaw in his firewall (as Gareth suggested) - that port 80 should be blocked to every machine except the proxy server.
While Sascha's answer of transparent proxying is a good suggestion I would suggest that it's not always the best solution. Two reasons, first it requires more processing power at the firewall machine. Second, if transparent proxying breaks and port 80 is let out, then you may not find this out for some time. I have had this experience. When I worked for a school I discovered that the lovely people who set up the firewall and proxy servers had neglected to block port 80 to any machine but the proxy server at the firewall.
It was probably like that for months before I started there.
Michael.
At 08:28 p.m. 15/09/2003, you wrote:
RH9 runs presumably a 2.4 kernel, in which case I'd suggest running iptables rather than ipchains.
For an easy way to setup a firewall, have a look at firehol (http://firehol.sf.net). Firehol has a simple language, which you use to express the way you want your firewall to work. Then it goes off and generates the appropriate iptables ruleset.
But back to your question, you might use the following to make squid transparently proxy http traffic.
transparent_squid 8080 "squid root" inface eth0
All outgoing http traffic, except that generated by user squid or user root, and that is coming in over eth0 should be redirected to port 8080 where your squid proxy would be running.
Firehol is great for complicated firewalls, at work we have a 100 line firehol config, which generates a 500+ line iptables ruleset. Makes things a _lot_ easier to manage.
The only thing I dont use firehol for is TOS, I have a seperate script that I run to load a handful of semi complicated TOS rules into iptables after firehol does its thing.
On Mon, 2003-09-15 at 17:48, Terry Cole wrote: > RH 9, running squid and Dan�s Guardian. > > How to block port 80? > > Students are bypassing squid and getting strait out to the net. > > IPchains was set up originally, but has lost it settings and know does > not want to work. > > Cheers > > > Terry Cole > > Rotorua, New Zealand > > mailto:[EMAIL PROTECTED] > > mailto:[EMAIL PROTECTED] > > http://www.cole.gen.nz > > http://www.websnz.com -- Sascha Beaumont <[EMAIL PROTECTED]>
