John Cole wrote:
Howdy!
I'm not as interested in blocking as I am in reporting. If I can do blocking as well, that's great.
Here's the layout of what I'm trying to do:
LAN --> Hub --> FW --> Internet | \-/ box with Squid
I've seen other products out there that do transparent interceptions like this. I believe they put the NIC's into promiscuous mode in order to see all of the traffic needed. (IIRC) They might have sent a TCP RST to the destination and then put a custom page back to the user when they accessed a prohibited page.
Can Squid do this?
Thanks, John
-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger@xxxxxxxxxx] Sent: Tuesday, March 22, 2005 10:30 AM
To: John Cole; squid-users@xxxxxxxxxxxxxxx
Subject: RE: [squid-users] Transparent Proxy without being inline?
Hi John,
how would squid block things if they are not being routed over the proxy?
Your sig says you are a security guy, so let's translate this into security terms:
If you have two subnets, 10.1.0.0/24 and 10.2.0.0/24 and you want to avoid having anyone make an ssh connection from 10.1.0.10 to 10.2.0.10 you would probably use a firewall. If you connect the gateways from both subnets to a hub, and then put a firewall on that hub as well, can you think of any way to make the firewall stop that ssh connection?
The only thing concievable would be to either teach squid to RST the connections to the browser if something needs to be blocked, or to arpspoof the firewall's mac to trick packets into traversing the squid box first.
Now, returning to reality, you could have the packets traverse the fireall twice, like so:
host --> switch --> hub --> firewall --> squid --> firewall --> internet
you would need :
# iptables -A FORWARD -p TCP --dport 80 -s $SQUID_PROXY -d \!$INSIDE_NET -j
ACCEPT # iptables -A FORWARD -p TCP --dport 80 -s $INSIDE_NET -d
$SQUID_PROXY -j ACCEPT # iptables -t nat -A PREROUTING -s $INSIDE_NET -d \!$INSIDE_NET -p TCP
--dport 80 -j DNAT --to-destination $SQUID_PROXY
tack -m state --state NEW,ESTABLISHED,RELATED onto the first two, and you're set. (If squid is on the $INSIDE_NET, you will obviously have to allow for that as well.)
Greetings, Chris
PS: this is obviously not a use for squid in transparent mode!! You only bridge squid when you want it to invisibly sit between the lan and the outside!!
-----Original Message----- From: John Cole [mailto:jcole@xxxxxxxxxx] Sent: Tuesday, March 22, 2005 4:03 PM To: squid-users@xxxxxxxxxxxxxxx Subject: [squid-users] Transparent Proxy without being inline?
Howdy all!
I've been looking but having found the answer yet.
Is it possible to run SQUID in transparent mode but not be
inline? For
example, I have a box between the LAN and the FW but it is in a hub and the
NIC is in promiscuous mode. Can SQUID do caching and/or blocking and/or
reporting in this setup?
Thanks, John Cole, TICSA Security Engineer FiLink 770-420-1546 x102 1-866-534-5465 jcole@xxxxxxxxxx
This email and any files transmitted with it are solely
intended for the use of the
addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately.
This email and any files transmitted with it are solely intended for the use of the
addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately.
--
+------------------------------------------ | José J. Cintrón - <jcintron@xxxxxxxxx> +------------------------------------------