On Sun, Oct 12, 2008 at 12:31:45PM +0300, Ali Hardogan wrote: > Hello, > > What is the best way to have full control over HTTP traffic that goes > through a Squid-enabled firewall? Don't allow outside connections from clients, don't use transparent. Force users to configure proxy in browser. > On the firewall, we intercept TCP traffic destined to ports 80, 3128, > and 8080 and redirect them to the local Squid port, and they get > filtered. > > But HTTP traffic is not limited to use those ports. Especially in case > the PCs behind the firewall are using HTTP-based proxies, depending on > the ports used by the proxies on the Internet they may escape the > Squid filtering (e.g., say they are using port 45001). What is your goal with "full HTTP control"? If your clients are allowed to connect to any port anywhere they want, I guess it's not security (though you wanting to stop proxies would suggest it). Also they can simply use SSL or such to escape any filtering. > How can we make sure "any HTTP traffic -- irrespective of the TCP > destination port number" that goes through the firewall gets filtered > by the Squid? Depending on your OS/firewall, you may have ability search packets for HTTP traffic. But it is intensive, not foolproof and unnecessary kludge.