RE: [squid-users] Transparent Proxy without being inline?

From: John Cole <jcole@dont-contact.us>
Date: Tue, 22 Mar 2005 10:38:15 -0500

Howdy!

I'm not as interested in blocking as I am in reporting. If I can do
blocking as well, that's great.

Here's the layout of what I'm trying to do:

LAN --> Hub --> FW --> Internet
          |
         \-/
         box with Squid

I've seen other products out there that do transparent interceptions like
this. I believe they put the NIC's into promiscuous mode in order to see
all of the traffic needed. (IIRC) They might have sent a TCP RST to the
destination and then put a custom page back to the user when they accessed a
prohibited page.

Can Squid do this?

Thanks,
John

-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
Sent: Tuesday, March 22, 2005 10:30 AM
To: John Cole; squid-users@squid-cache.org
Subject: RE: [squid-users] Transparent Proxy without being inline?

Hi John,

how would squid block things if they are not being routed over the proxy?

Your sig says you are a security guy, so let's translate this into security
terms:

If you have two subnets, 10.1.0.0/24 and 10.2.0.0/24 and you want to avoid
having anyone make an ssh connection from 10.1.0.10 to 10.2.0.10 you would
probably use a firewall. If you connect the gateways from both subnets to a
hub, and then put a firewall on that hub as well, can you think of any way
to make the firewall stop that ssh connection?

The only thing concievable would be to either teach squid to RST the
connections to the browser if something needs to be blocked, or to arpspoof
the firewall's mac to trick packets into traversing the squid box first.

Now, returning to reality, you could have the packets traverse the fireall
twice, like so:

host --> switch --> hub --> firewall --> squid --> firewall --> internet

you would need :

# iptables -A FORWARD -p TCP --dport 80 -s $SQUID_PROXY -d \!$INSIDE_NET -j
ACCEPT # iptables -A FORWARD -p TCP --dport 80 -s $INSIDE_NET -d
$SQUID_PROXY -j ACCEPT
# iptables -t nat -A PREROUTING -s $INSIDE_NET -d \!$INSIDE_NET -p TCP
--dport 80 -j DNAT --to-destination $SQUID_PROXY

tack -m state --state NEW,ESTABLISHED,RELATED onto the first two, and you're
set. (If squid is on the $INSIDE_NET, you will obviously have to allow for
that as well.)

Greetings, Chris

PS: this is obviously not a use for squid in transparent mode!! You only
bridge squid when you want it to invisibly sit between the lan and the
outside!!

> -----Original Message-----
> From: John Cole [mailto:jcole@filink.com]
> Sent: Tuesday, March 22, 2005 4:03 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Transparent Proxy without being inline?
>
> Howdy all!
>
> I've been looking but having found the answer yet.
>
> Is it possible to run SQUID in transparent mode but not be
> inline? For
> example, I have a box between the LAN and the FW but it is in
> a hub and the
> NIC is in promiscuous mode. Can SQUID do caching and/or
> blocking and/or
> reporting in this setup?
>
> Thanks,
> John Cole, TICSA
> Security Engineer
> FiLink
> 770-420-1546 x102
> 1-866-534-5465
> jcole@filink.com
>
> This email and any files transmitted with it are solely
> intended for the use of the
> addressee(s) and may contain information that is confidential
> and privileged. If
> you receive this email in error, please advise us by return
> email immediately.
> Please also disregard the contents of the email, delete it
> and destroy any copies
> immediately.
>

This email and any files transmitted with it are solely intended for the use of the
addressee(s) and may contain information that is confidential and privileged. If
you receive this email in error, please advise us by return email immediately.
Please also disregard the contents of the email, delete it and destroy any copies
immediately.
Received on Tue Mar 22 2005 - 08:38:18 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST