> I have a network with the computers (for the purposes of this exercise). > > Anubis: firewall/gateway > Athena: dual-seat workstation > Selene: four-seat workstation, server, squid box > > I want to set up transparent proxying. I don't trust my control over > Athena. It can be compromised. > > The setup I want: > > Anubis sends all requests for port 80 to selene port 3128 > Selene does the proxy thing, and sends the packet out via Anubis to the > www. > > So the problem with the above is that I want Anubis to only accept those > packets which originate with the proxy user on Selene, not any of the > other users on Selene. > > I absolutely do not want a user on Athena to be able to get out on the > web without going through the proxy, and I am assuming that Athena is > compromised. > > I can think of a couple of other ways of doing this, but all leave open > the possibility of a user on Selene getting out on the web without going > through the proxy. > > The only way I can think of doing this is to set up Selene as the > gateway, have Anubis refuse all connections to port 80 except those > originating on Selene, and then firewall the output chain on Selene to > only allow the proxy user via the uid option of the owner module. > > Is anyone doing this - multiple users on the squid box? > > --Yan > Do that port-80 block for all IPs except the proxy. Use authentication on the proxy. http://wiki.squid-cache.org/ConfigExamples is a good place to start looking at how to do auth. Amos
