On 11/28/07 1:07 PM, "Grant Taylor" <gtaylor@xxxxxxxxxxxxxxxxx> wrote: > On 11/28/07 14:01, James Lay wrote: >> Interesting idea. I know that when I've captured this proxy traffic >> I see in ASCII "http://"; and then whatever proxied site (usually >> myspace). I was thinking maybe a matchstring type thing? Here's a >> snippet from an access.log from a transparent squid proxy, using >> sureproxy hitting playboy: > > Possibly. > >> 10.1.1.191 - - [28/Nov/2007:12:49:26 -0700] "GET >> http://www.sureproxy.com/nph-index.cgi/011110A/http/www.playboy.com/imx/front >> page/2008-calendars.jpg >> HTTP/1.1" 200 366 >> "http://www.sureproxy.com/nph-index.cgi/011110A/http/www.playboy.com/"; >> "Opera/9.24 (Macintosh; Intel Mac OS X; U; en)" TCP_MISS:DIRECT >> >> Does my idea make sense or am I on crack :D > > Are you wanting to prevent proxy services from accessing your web > site(s) or are you wanting to prevent people behind your proxy from > accessing prohibited material? This makes a *BIG* difference in what > direction you go. > > > > Grant. . . . The latter ;) Keeping the people on the inside from being naughty. One of my clients doesn't want a proxy server installed....I would normally just use squid and squidguard and be done with it, but that's not an option. So baring using Snort to do it (somehow) I was thinking netfilter/iptables to match strings on port 80 for "http". Hope that explains it better. James - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
