RE: [squid-users] Blocking proxy bypass from Greg Darby on 2002-01-21 (squid-users)

From: Greg Darby <greg.darby@dont-contact.us>
Date: Tue, 22 Jan 2002 08:21:25 +1030

Why don't you pop some access lists on the ethernet port of your router?

This config assumes you have a Cisco router

access-list ??? allow ip ***.***.***.***(IP) ***.***.***.***(Subnet) any
(squid box)
access-list ??? deny ip any any

Depending on circumstances the above will force clients to use the proxy.
The squid box is allowed to access anything to the Internet whereas clients
requests direct are blocked at the router. The only way out is through the
Squid box.

You could of course go crazy and restrict the squid box from some ports also
at the router but i found it more convienent to do that in the squid.conf.

If you have a need to allow some clients to access the net, or any other
protocol directly such as PCAnywhere or whatever you can do the following,

access-list ??? allow ip ***.***.***.***(IP) ***.***.***.***(Subnet) any
(squid box)
access-list ??? allow tcp (or udp) ***.***.***.***(IP)
***.***.***.***(Subnet) any eq *** (port no)
access-list ??? deny ip any any

Or for all clients to access a particular port directly,

access-list ??? allow ip ***.***.***.***(IP) ***.***.***.***(Subnet) any
(squid box)
access-list ??? allow tcp (or udp)any any eq *** (port no)
access-list ??? deny ip any any

Dont forget to apply the access-list to the ethernet interface as well,

eth0
access-list ??? in

I have noticed this topic comes up quite often so i hope i may help some
people as it has done for me..

Regards,

Greg

-----Original Message-----
From: Mark Lucas [mailto:mark@mlucas.net]
Sent: Tuesday, 22 January 2002 4:53 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Blocking proxy bypass

I have an ISDN router on my network to handle internet connection. This auto
dials on DNS requests.
I have set up my network users to connect to the WWW via squid and
squidGuard, of course if they are clever enough they can bypass squidGuard
by simply connecting directly, bypassing squid altogether (by reconfiguring
internet connection settings). I would like to stop them doing this but I
don't know how. Any ideas?

I have a Linux server running Squid 2.4 and MS Windows (98 and 2000) network
clients running IE6 and IE5.5

Thanks,

Mark

This email and any attachment has been swept for the prescence of known Virus's by Ramelec's NTMail Virus Detection System.
Received on Mon Jan 21 2002 - 14:52:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:54 MST