first you can block the port 80,443 from internal network to outside, its only allowed for ipadress of the proxy to go outside to port 80,443 so the users are forced to use the proxy, because no direct connection is allowed any more.
But an evil user can run a proxy on say port 53, or another port you don't block on the firewall, then I can browse sites you are blocking. Some universities have this problem, they only allow Web Access and SMTP, but clever students use thigns like CIPE and ssh to get to the other stuff
ok then maybe try the hard way, formide every workstation into lan direct connections to the internet, only allow the proxy to enter the i-net an easy solution with ip tables ----- Original Message ----- From: "Robert Davies" <Rob_Davies@NTLWorld.Com> To: "rene marhold" <rene@mail.marhold.net> Sent: Friday, June 01, 2001 12:09 AM Subject: Re: [suse-security] forcing use of proxy they
want.
If you want to 'force' use of something private networks are the only way, then they really _do_ have to use the services you offer, through application level proxies.
Rob