RE: [squid-users] How to prevent anwanted bypassing squid by netw ork users trhough browser set-up

From: Rodriguez Quintero, Juan Diego, SYNAPSIS Per� <[email protected]>
Date: Tue, 30 Sep 2003 10:40:39 -0500

A firewall may help you. Set explicit rules to allw http (80) from the
address you want and deny others.

If your clients use Internet Explorer and Windows 2000 you can set GPO to
configure their browsers and restrict changes.

Regards,

JD

-----Mensaje original-----
De: Alvaro Gordon-Escobar [mailto:alvaroge@molecularstaging.com]
Enviado el: Monday, September 29, 2003 8:37 AM
Para: Datareactor; masch@center-net.de; squid-users@squid-cache.org
Asunto: RE: [squid-users] How to prevent anwanted bypassing squid by
network users trhough browser set-up

Hello Manuel

I had the same problem.
Do you have firewall?
Before any of your user can make it to the www, they have to get a
public IP from something via NAT or what ever method. This device
(firewall, router etc) can be told to deny all traffic from the trust
interface that is coming from your users.

I all your internal IP are in the same ranges!
Set a permit rule for your servers that get updates on their own ( virus
def, patches etc) before your users.

With this setup, only users browsing through the proxy will be able to
browse, because any savvy user that changes the browser config will be
blocked at your perimeter device.
 

Example router config for cisco router

Permit ip 10.9.1.0 0.0.0.255 any -- servers
Deny ip 10.9.2.0 0.0.0.255 any -- users. Blocks all traffic from
10.9.2.0 range
Or deny tcp 10.9.2.0 0.0.0.255 any eq 80 (www) users-- will block only
port 80
Permit ip any any

Hope this helps!~

~alvaro

-----Original Message-----
From: Datareactor [mailto:talha@worldcall.net.pk]
Sent: Monday, September 29, 2003 9:00 AM
To: masch@center-net.de; squid-users@squid-cache.org
Subject: Re: [squid-users] How to prevent anwanted bypassing squid by
network users trhough browser set-up

if u have router you can implement wccp on it
to forward your port 80 request to squid proxies
then yr rules will be applied .

no need to put proxy in their browser.

Regards

./DR

----- Original Message -----
From: "Manuel Schroeder" <masch@center-net.de>
To: <squid-users@squid-cache.org>
Sent: Monday, September 29, 2003 5:40 PM
Subject: [squid-users] How to prevent anwanted bypassing squid by
network
users trhough browser set-up

> Hi,
>
> we want to disable our network users to access their private webmail
> etc. from the office. So I did successfully made an acl dstdomain
> ....... and made squid also taking care about port 80.
>
> But my obvious concern is that our clever users will setup their
> browsers back NOT to use our proxy but to go to the internet DIRECTLY
as
> usual in former times on port 80 without proxy use. %) I did hope the
> above (also looking at port 80) would prevent them from but sorry to
say
> it does not. 8(
>
> But by doing so all my wonderfull filter rules in squid will be
> bypassed! :(
>
> How can I make squid to block browsers coming on port 80 in "no proxy
> mode"?! :)
>
> Manuel
>
>
>
Received on Tue Sep 30 2003 - 09:41:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:05 MST