On May 5, 2010, at 9:21 AM, Boniforti Flavio wrote: > Now some clever users have discovered that they can use foreing external > proxies to avoid filtering. > > What I was thinking to do, is to enable on my firewall LAN-->WAN *only* > my proxy's IP address, but the question is: how would I have to proceed, > as the client PCs still could be set their proxy settings?! I'm currently working on a replaceThePIXwithLinux project. What I'm hoping to do is: This will be the *only* way out of the LAN. This is to be enforced with pieces of wire. If they can get into the wiFi next door, I don't have a solution for that yet. This box will transparently proxy HTTP by intercepting port 80 (and 443??) and forwarding it to 3128. Squid will be running on the gateway / filter / firewall. Aside from a few ports (SMTP, POP3, IMAP, DNS, etc. on the DMZ), the LAN won't be able to go anywhere. Except for me, of course; I can go anywhere... Don't know if this is going to work, but if it does, rules similar to these may solve your problem. With no proxy whinage. -- Glenn English ghe@xxxxxxxxxxx
