Search squid archive

Re: [squid-users] Transparent Proxy without being inline?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is not what squid was designed for. Squid is a proxy, not an IDS or sniffer or anything like that. What it does (and very well) is take you connection requests and forward them based on your policy to the remote server. If what you want is to know who is connecting to IIRC your FW should be able to do that. You may also install a sniffer and write appropriate filters to only capture the traffic that you are interested in. If you want to be able to look at reports, maybe send TCP RST, etc. go for Snort or something like it.

John Cole wrote:
Howdy!

I'm not as interested in blocking as I am in reporting.  If I can do
blocking as well, that's great.

Here's the layout of what I'm trying to do:

LAN -->  Hub -->  FW --> Internet
          |
         \-/
         box with Squid

I've seen other products out there that do transparent interceptions like
this.  I believe they put the NIC's into promiscuous mode in order to see
all of the traffic needed.  (IIRC) They might have sent a TCP RST to the
destination and then put a custom page back to the user when they accessed a
prohibited page.

Can Squid do this?

Thanks,
John

-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger@xxxxxxxxxx] Sent: Tuesday, March 22, 2005 10:30 AM
To: John Cole; squid-users@xxxxxxxxxxxxxxx
Subject: RE: [squid-users] Transparent Proxy without being inline?



Hi John,

how would squid block things if they are not being routed over the proxy?

Your sig says you are a security guy, so let's translate this into security
terms:

If you have two subnets, 10.1.0.0/24 and 10.2.0.0/24 and you want to avoid
having anyone make an ssh connection from 10.1.0.10 to 10.2.0.10 you would
probably use a firewall. If you connect the gateways from both subnets to a
hub, and then put a firewall on that hub as well, can you think of any way
to make the firewall stop that ssh connection?

The only thing concievable would be to either teach squid to RST the
connections to the browser if something needs to be blocked, or to arpspoof
the firewall's mac to trick packets into traversing the squid box first.

Now, returning to reality, you could have the packets traverse the fireall
twice, like so:

host --> switch --> hub --> firewall --> squid --> firewall --> internet

you would need :

# iptables -A FORWARD -p TCP --dport 80 -s $SQUID_PROXY -d \!$INSIDE_NET -j
ACCEPT # iptables -A FORWARD -p TCP --dport 80 -s $INSIDE_NET -d
$SQUID_PROXY -j ACCEPT # iptables -t nat -A PREROUTING -s $INSIDE_NET -d \!$INSIDE_NET -p TCP
--dport 80 -j DNAT --to-destination $SQUID_PROXY


tack -m state --state NEW,ESTABLISHED,RELATED onto the first two, and you're
set. (If squid is on the $INSIDE_NET, you will obviously have to allow for
that as well.)

Greetings, Chris

PS: this is obviously not a use for squid in transparent mode!! You only
bridge squid when you want it to invisibly sit between the lan and the
outside!!


-----Original Message-----
From: John Cole [mailto:jcole@xxxxxxxxxx]
Sent: Tuesday, March 22, 2005 4:03 PM
To: squid-users@xxxxxxxxxxxxxxx
Subject: [squid-users] Transparent Proxy without being inline?

Howdy all!

I've been looking but having found the answer yet.

Is it possible to run SQUID in transparent mode but not be
inline? For
example, I have a box between the LAN and the FW but it is in a hub and the
NIC is in promiscuous mode. Can SQUID do caching and/or blocking and/or
reporting in this setup?


Thanks,
John Cole, TICSA
Security Engineer
FiLink
770-420-1546 x102
1-866-534-5465
jcole@xxxxxxxxxx

This email and any files transmitted with it are solely
intended for the use of the
addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately.




This email and any files transmitted with it are solely intended for the use of the
addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately.



--

+------------------------------------------
| José J. Cintrón - <jcintron@xxxxxxxxx>
+------------------------------------------



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux