![](https://seccdn.libravatar.org/avatar/cb9799943ae0c1878009895efea25544.jpg?s=120&d=mm&r=g)
On 15-Jun-01 jfweber@eternal.net wrote:
** from the outer limits of space and time electrons arranged themselves into a message from "Kurt Seifried"
on Fri, 15 Jun 2001 12:54:07 -0600 Earth Standard Time squid.nlanr.org Netscape cannot find the address , blah blah blah ..
Try www.squid-cache.org/Doc/FAQ/FAQ.html .
any other choices ????
If you use an ISDN router or similar as a gateway where you can configure filter/NAT rules you may construct a rule which denies any requests to <ip-addr>:80 for any host except the proxy. This way, your users can not directly connect to any remote web/ftp servers and you don't have to set up transparent proxying.
<G> This seems like it just *might* be the answer to a maiden's prayer , if I could only make it work so "they" never even see anything except the web pages they are trying to load ... prehaps an occassional ftp >> that ought to be all they want , oh yeah email send and recieve ...
Transparent proxying definitely helps to prevent users from simply kicking proxy entries out of their browser configuration thus directly interfering with the big bad internet. It does not secure your squid proxy program (the demon itself) in any way, it just transparently redirects any traffic destined to port 80 to squid's port (usually 3128) and will *not* work properly if the proxy host is not the standard gateway of your network. To set it up is just plain simple. First, make sure your kernel configuration includes transparent proxying and firewalling. Next, set up ipchains to handle the redirection: ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT ipchains -A input -p TCP -d 192.168.1.0/255.255.255.0 www -j ACCEPT ipchains -A input -p TCP -d 0/0 www -j REDIRECT 3128 Lines one and two accept requests to port 80 of both the (squid proxy-) localhost and your network (replace 192.168.1.0 with your network address), line three does the actual redirecting from any IP:80 to port 3128 of the proxy host (ipchains only does local port forwarding so you don't have to supply the IP of your proxy host). That's it. If it doesn't work, FAQ it ;))
Blondely
j [...]
---
Boris Lorenz