On Thu, 21 Feb 2002, Glen Turner wrote: > On Wed, 20 Feb 2002, Matthew Palmer wrote: > > > On Wed, 20 Feb 2002, Richard Hayes wrote: > > > > > A organisation has public access terminals connected to a Telstra cable > > > connection. They use a Netgear router that allocates a 192.168.0.x DHCP > > > address on every client login. > > > > > > There is no filtering on the services. > > > > > > Using Squidguard (or similar) how can you enforce using the proxy? > > > > You can't. Unless you can stop connections to port 80 to addresses outside > > the local network, people can just connect to wherever they please. > > > > Get rid of the Netgear router, and put a Linux firewall/router/DHCP server > > in there instead. If you're really squeezed for machines (can't afford a > > 486?) then put the Squidguard machine in as the router. > > But surely blocking outgoing port 80 is pretty much the requirement? > > eg: > interface Telstra0 > access-group FORCE-PROXY out > > access-list FORCE-PROXY tcp permit eq 80 host web-proxy.example.com > access-list FORCE-PROXY tcp deny eq http any > access-list FORCE-PROXY ip permit any > > Then people have to configure a proxy to get web access. > > People can still run web traffic over other ports in this > scenario. So if you want to be super-sure then deny > all outgoing traffic and proxy all application protocols > through the web proxy machine (eg: have a DNS and e-mail > forwarder). > > This isn't particularly nice, as visitors need to configure > their machines. See if Netgear support WCCP and set > up a transparent proxy. With a kernel patch you can > configure Squid on Linux to be a WCCP transparent web proxy > server.
Think you're missing the point to some extent. internet---[netgear-router] | ____|____ [___hub___]-------[linux / squid] | | | / | \ ws1 ws2 ws3 In this setup above there's nothing *FORCING* the workstations to go through the squid proxy. internet---[netgear-router] | [linux / squid] | ____|____ [___hub___] | | | / | \ ws1 ws2 ws3 The above setup makes it possible with the same equipment but then the setup below is just a lot simpler and more flexible which is why there's so many netgear's on Ebay one presumes. internet---[linux / squid] | ____|____ [___hub___] | | | / | \ ws1 ws2 ws3 -- ---<GRiP>--- Web: www.arcadia.au.com/gripz Answering Machine/fax: 02 4950 1194 (wait 5 mins if no answer) Mobile: 0408 686 201 -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug