I have a network with the computers (for the purposes of this exercise).
Anubis: firewall/gateway
Athena: dual-seat workstation
Selene: four-seat workstation, server, squid box
I want to set up transparent proxying. I don't trust my control over
Athena. It can be compromised.
The setup I want:
Anubis sends all requests for port 80 to selene port 3128
Selene does the proxy thing, and sends the packet out via Anubis to the www.
So the problem with the above is that I want Anubis to only accept those
packets which originate with the proxy user on Selene, not any of the
other users on Selene.
I absolutely do not want a user on Athena to be able to get out on the
web without going through the proxy, and I am assuming that Athena is
compromised.
I can think of a couple of other ways of doing this, but all leave open
the possibility of a user on Selene getting out on the web without going
through the proxy.
The only way I can think of doing this is to set up Selene as the
gateway, have Anubis refuse all connections to port 80 except those
originating on Selene, and then firewall the output chain on Selene to
only allow the proxy user via the uid option of the owner module.
Is anyone doing this - multiple users on the squid box?
--Yan
--
Yan Seiner
Support my bid for the 4J School Board.
Visit http://www.seiner.com/schoolboard
