>....... I can do direct proxying if I specify the proxy server on a machine, >this works. But it will be tedious to upgrade all desktops to do this >and not to mention complaints if someone tampers with it or why this >needs to be done or new machines being added....... I understand your problem. In case you don't get transparency working, here is a workaround that I use. On your bastion router, set ipgate=off, i.e. leave no route between the secure and non-secure NICs. Packets cross the gap only if Squid hands them across. Then, proxy setup is just part of setting up a workstation, and if users alter the settings then they cannot browse the web. If you need other internet services you will need proxies for them too.
John Sutherland Phone & Fax +61 2 4683 1511 9 Meryla Street, Couridjah NSW 2571 Australia
