RE: [squid-users] How to prevent anwanted bypassing squid by network users trhough browser set-up

From: Alvaro Gordon-Escobar <alvaroge@dont-contact.us>
Date: Mon, 29 Sep 2003 09:37:21 -0400

Hello Manuel

I had the same problem.
Do you have firewall?
Before any of your user can make it to the www, they have to get a
public IP from something via NAT or what ever method. This device
(firewall, router etc) can be told to deny all traffic from the trust
interface that is coming from your users.

I all your internal IP are in the same ranges!
Set a permit rule for your servers that get updates on their own ( virus
def, patches etc) before your users.

With this setup, only users browsing through the proxy will be able to
browse, because any savvy user that changes the browser config will be
blocked at your perimeter device.
 

Example router config for cisco router

Permit ip 10.9.1.0 0.0.0.255 any -- servers
Deny ip 10.9.2.0 0.0.0.255 any -- users. Blocks all traffic from
10.9.2.0 range
Or deny tcp 10.9.2.0 0.0.0.255 any eq 80 (www) users-- will block only
port 80
Permit ip any any

Hope this helps!~

~alvaro

-----Original Message-----
From: Datareactor [mailto:talha@worldcall.net.pk]
Sent: Monday, September 29, 2003 9:00 AM
To: masch@center-net.de; squid-users@squid-cache.org
Subject: Re: [squid-users] How to prevent anwanted bypassing squid by
network users trhough browser set-up

if u have router you can implement wccp on it
to forward your port 80 request to squid proxies
then yr rules will be applied .

no need to put proxy in their browser.

Regards

./DR

----- Original Message -----
From: "Manuel Schroeder" <masch@center-net.de>
To: <squid-users@squid-cache.org>
Sent: Monday, September 29, 2003 5:40 PM
Subject: [squid-users] How to prevent anwanted bypassing squid by
network
users trhough browser set-up

> Hi,
>
> we want to disable our network users to access their private webmail
> etc. from the office. So I did successfully made an acl dstdomain
> ....... and made squid also taking care about port 80.
>
> But my obvious concern is that our clever users will setup their
> browsers back NOT to use our proxy but to go to the internet DIRECTLY
as
> usual in former times on port 80 without proxy use. %) I did hope the
> above (also looking at port 80) would prevent them from but sorry to
say
> it does not. 8(
>
> But by doing so all my wonderfull filter rules in squid will be
> bypassed! :(
>
> How can I make squid to block browsers coming on port 80 in "no proxy
> mode"?! :)
>
> Manuel
>
>
>
Received on Mon Sep 29 2003 - 07:37:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:04 MST