[ILUG] dansguardian, squid, smoothwall and transparent proxying
Gavin McCullagh
ilug_gmc at fiachra.ucd.ie
Thu Mar 10 11:17:07 GMT 2005
Hi
Conor wrote:
> Fortunately, I've only one win32 box (with IE removed) in the house, the
> rest are linux machines. This does depend on the machines using dhcp
> though. Once junior_X figures out how to set a static IP address, this
> will get bypassed unless I can block outbound also. However, in the
> meantime, can I put this stuff into my dhcpd.conf on the internal server
> (which is already serving dhcp for the network? Or does this have to
> happen on the smoothie?
I'm afraid you're painting yourself into a corner here.
If squid is to run on an internal (non-firewall) machine, then the firewall
must give internet (at least web) access to that IP address. If the child
is smart enough to set a static ip address or set a web proxy by hand, then
(s)he's probably also smart enough to unplug your squid machine from the
network, set a static ip address to that of your squid machine and get web
access directly.
To prevent this, you'll need to either put squid/dans on the firewall or
find a way for the firewall to authenticate the squid/dans machine. One
way might be to run a simple squid on the firewall with authentication and
hard code that username/password into your squid/dans machine squid.conf.
It's certainly not pretty.
Niall's right, smoothwall should really be an appliance and I suspect dan's
guardian is unlikely to work well in that situation (downloading/storing
updated blacklists, etc). If you need something this complex, installing a
small distro with dans/squid/iptables (shorewall recommended) might be a
better option.
I also presume you want proper internet access, which will be difficult to
arrange without offering similar possibilities. A separate physical net
for you and your wife seems a little bit overkill.
We are of course assuming the kid won't just compromise the firewall
machine. I guess if they managed that then when you're done giving out to
them you can smile wryly at the nice little pension scheme standing in
front of you. How smart are these kids?
Gavin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.linux.ie/pipermail/ilug/attachments/20050310/a02f168a/attachment.pgp
More information about the ILUG
mailing list