Re: [squid-users] Best policy to allow only proxy surfing

From: Glenn English <>
Date: Wed, 5 May 2010 09:45:29 -0600

On May 5, 2010, at 9:21 AM, Boniforti Flavio wrote:

> Now some clever users have discovered that they can use foreing external
> proxies to avoid filtering.
> What I was thinking to do, is to enable on my firewall LAN-->WAN *only*
> my proxy's IP address, but the question is: how would I have to proceed,
> as the client PCs still could be set their proxy settings?!

I'm currently working on a replaceThePIXwithLinux project. What I'm hoping to do is:

This will be the *only* way out of the LAN. This is to be enforced with pieces of wire. If they can get into the wiFi next door, I don't have a solution for that yet.

This box will transparently proxy HTTP by intercepting port 80 (and 443??) and forwarding it to 3128. Squid will be running on the gateway / filter / firewall.

Aside from a few ports (SMTP, POP3, IMAP, DNS, etc. on the DMZ), the LAN won't be able to go anywhere. Except for me, of course; I can go anywhere...

Don't know if this is going to work, but if it does, rules similar to these may solve your problem. With no proxy whinage.

Glenn English
Received on Wed May 05 2010 - 15:45:35 MDT

This archive was generated by hypermail 2.2.0 : Wed May 05 2010 - 12:00:04 MDT