On Wed, 20 Feb 2002, Matthew Palmer wrote:
> On Wed, 20 Feb 2002, Richard Hayes wrote:
>
> > A organisation has public access terminals connected to a Telstra cable
> > connection. They use a Netgear router that allocates a 192.168.0.x DHCP
> > address on every client login.
> >
> > There is no filtering on the services.
> >
> > Using Squidguard (or similar) how can you enforce using the proxy?
>
> You can't. Unless you can stop connections to port 80 to addresses outside
> the local network, people can just connect to wherever they please.
>
> Get rid of the Netgear router, and put a Linux firewall/router/DHCP server
> in there instead. If you're really squeezed for machines (can't afford a
> 486?) then put the Squidguard machine in as the router.
But surely blocking outgoing port 80 is pretty much the requirement?
eg:
interface Telstra0
access-group FORCE-PROXY out
access-list FORCE-PROXY tcp permit eq 80 host web-proxy.example.com
access-list FORCE-PROXY tcp deny eq http any
access-list FORCE-PROXY ip permit any
Then people have to configure a proxy to get web access.
People can still run web traffic over other ports in this
scenario. So if you want to be super-sure then deny
all outgoing traffic and proxy all application protocols
through the web proxy machine (eg: have a DNS and e-mail
forwarder).
This isn't particularly nice, as visitors need to configure
their machines. See if Netgear support WCCP and set
up a transparent proxy. With a kernel patch you can
configure Squid on Linux to be a WCCP transparent web proxy
server.
Regards,
Glen
--
Glen Turner Network Engineer
(08) 8303 3936 Australian Academic and Research Network
[EMAIL PROTECTED] http://www.aarnet.edu.au/
--
The revolution will not be televised, it will be digitised
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
