Re: Blocking access except through proxy

From: Clifton Royston <cliftonr@dont-contact.us>
Date: Sat, 20 Nov 1999 10:29:54 -1000

On Sat, Nov 20, 1999 at 03:23:00AM -0000, Jason Thompson wrote:
> Hi All,
>
> I am just wondering if anyone has implimented a system where port 80
> (ie WWW) is blocked to all clients, so they are forced to use the
> proxy server. Without using any type of transparent proxy?
 
  This is the recommended approach taken by a lot of large
corporations, so they can control Internet use on the job. Those using
it seem to find it works very well.
 
> All of the clients see the server as the default router as well as
> the proxy. What I want to do is use the standard firewalling code in
> Linux to block access to the WWW directly, so all clients must use
> the proxy server.

  This will work well for pretty much all browsers; most browsers
handle proxies much better when they know they're talking to a proxy
than in transparent mode. You may also want to use the "proxy.pac" URL
method to help users configure their browser automatically.

  The only things I could see problems with are non-browser
applications using HTTP without proper proxy support or with buggy
proxy support, e.g. buggy versions of applications like CDDB,
Seti@Home.

> This is for 2 reasons, one we have passwords on Internet access so we
> can log pages to a specific username, and secondly because the server
> is in an educational establishment our isp offers a 'protected'
> Internet service, but only if you go through thier proxy. Which is
> why we do not want ot allow direct access.
>
> I appriciate that this list is for squid, but I was wondering if
> anyone could help me with configuring the routing so I can achieve
> the above.

  No change to routing, and no special transparent proxy handling, is
required with this approach. Just block port 80 from any address
except the Squid server. The exact commands will depend on which IP
firewall software you're running; I'm not familiar with the Linux
syntax.

  -- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC
Received on Sat Nov 20 1999 - 13:40:15 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT