On Thu, 21 Feb 2002, Glen Turner wrote:
> On Wed, 20 Feb 2002, Matthew Palmer wrote:
>
> > On Wed, 20 Feb 2002, Richard Hayes wrote:
> >
> > > A organisation has public access terminals connected to a Telstra cable
> > > connection. They use a Netgear router that allocates a 192.168.0.x DHCP
> > > address on every client login.
> > >
> > > There is no filtering on the services.
> > >
> > > Using Squidguard (or similar) how can you enforce using the proxy?
> >
> > You can't. Unless you can stop connections to port 80 to addresses outside
> > the local network, people can just connect to wherever they please.
> >
> > Get rid of the Netgear router, and put a Linux firewall/router/DHCP server
> > in there instead. If you're really squeezed for machines (can't afford a
> > 486?) then put the Squidguard machine in as the router.
>
> But surely blocking outgoing port 80 is pretty much the requirement?
>
> eg:
> interface Telstra0
> access-group FORCE-PROXY out
>
> access-list FORCE-PROXY tcp permit eq 80 host web-proxy.example.com
> access-list FORCE-PROXY tcp deny eq http any
> access-list FORCE-PROXY ip permit any
>
> Then people have to configure a proxy to get web access.
>
> People can still run web traffic over other ports in this
> scenario. So if you want to be super-sure then deny
> all outgoing traffic and proxy all application protocols
> through the web proxy machine (eg: have a DNS and e-mail
> forwarder).
>
> This isn't particularly nice, as visitors need to configure
> their machines. See if Netgear support WCCP and set
> up a transparent proxy. With a kernel patch you can
> configure Squid on Linux to be a WCCP transparent web proxy
> server.
Think you're missing the point to some extent.
internet---[netgear-router]
|
____|____
[___hub___]-------[linux / squid]
| | |
/ | \
ws1 ws2 ws3
In this setup above there's nothing *FORCING* the workstations to go
through the squid proxy.
internet---[netgear-router]
|
[linux / squid]
|
____|____
[___hub___]
| | |
/ | \
ws1 ws2 ws3
The above setup makes it possible with the same equipment but then the
setup below is just a lot simpler and more flexible which is why there's
so many netgear's on Ebay one presumes.
internet---[linux / squid]
|
____|____
[___hub___]
| | |
/ | \
ws1 ws2 ws3
--
---<GRiP>---
Web: www.arcadia.au.com/gripz
Answering Machine/fax: 02 4950 1194 (wait 5 mins if no answer)
Mobile: 0408 686 201
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
