See
http://contentfilter.futuragts.com/wiki/index.php?title=Preventing_Skipping_Around
(future DansGuardian users might also read
http://contentfilter.futuragts.com/wiki/index.php?title=Two_Configuration_Families).
Probably the best way to add DansGuardian to an
existing transparent Squid setup is to change the port
number on the redirect but _not_ add any new Shorewall
rules. Make the connection between DansGuardian and
Squid not with additional Shorewall rules but rather
by tweaking the Squid configuration to only listen on
127.0.0.1.
IMHO it's all too easy to accidentally use additional
rules in Shorewall to produce a system that works
..._but_ allows users to skip the DansGuardian part
and connect directly to the Squid part. At first this
won't matter. But as you use DansGuardian more and
more heavily (and even migrate existing restrictions
into it so they're all in one place for easier
maintenance), you'll wonder why your filter is
enforcing so few restrictions.
Also as someone else has pointed out, it's not
possible to filter https: in a transparent-intercept
configuration either without or with DansGuardian.
Rerouting https: traffic into DansGuardian in a
transparent-intercept system will just break things.
thanks!
-Chuck Kollars
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
