On Sun, Oct 12, 2008 at 12:31:45PM +0300, Ali Hardogan wrote:
> Hello,
>
> What is the best way to have full control over HTTP traffic that goes
> through a Squid-enabled firewall?
Don't allow outside connections from clients, don't use transparent. Force
users to configure proxy in browser.
> On the firewall, we intercept TCP traffic destined to ports 80, 3128,
> and 8080 and redirect them to the local Squid port, and they get
> filtered.
>
> But HTTP traffic is not limited to use those ports. Especially in case
> the PCs behind the firewall are using HTTP-based proxies, depending on
> the ports used by the proxies on the Internet they may escape the
> Squid filtering (e.g., say they are using port 45001).
What is your goal with "full HTTP control"? If your clients are allowed to
connect to any port anywhere they want, I guess it's not security (though
you wanting to stop proxies would suggest it). Also they can simply use SSL
or such to escape any filtering.
> How can we make sure "any HTTP traffic -- irrespective of the TCP
> destination port number" that goes through the firewall gets filtered
> by the Squid?
Depending on your OS/firewall, you may have ability search packets for HTTP
traffic. But it is intensive, not foolproof and unnecessary kludge.
Received on Sun Oct 12 2008 - 10:06:00 MDT
This archive was generated by hypermail 2.2.0 : Mon Oct 13 2008 - 12:00:02 MDT