[K12OSN] OT: Squid/Dansguardian but who did it?

Mike Ely mely at rogueriver.k12.or.us
Thu May 11 17:15:45 UTC 2006

pogson wrote:
> Barry R Cisna <cisna-barry at wc235.k12.il.us 
> <mailto:cisna-barry at wc235.k12.il.us>> wrote:
> /Of course if the student knows how to take out the proxy number in/
> /Internet Explorer, they are home free anyway:(./
> You can prevent that by transparent proxy.
> You can also force use of the proxy by having the firewall on the LTSP 
> server and blocking port 80 access unless it comes from squid. You can 
> set up squid ACL to prevent access to port 3128 by anyone but the 
> dansguardian user. The only port left is 8080 to get into dansguardian.

That's the way to go IMHO, and not just for the LTSP lab.  Around here, 
we've actually gone to the point of blocking all outbound ports 
districtwide and whitelisting only those ports that are needed for a 
particular purpose - 443 and the occasional odd port that some website 
has been set up on that someone in the district uses.  This eliminates 
access to various IM applications and other problematic matters, such as 
outbound propigation of email viruses, as only the mailserver is allowed 
to use port 25.  Port 80 and 8080 get redirected through the proxy, 
which eliminates the need to have each client set up to use the 
(transparent) proxy, and also makes it pretty much impossible to avoid it.

Again, auth is a piece I've looked at, but given that students don't yet 
have their own network accounts, it'd be pointless.


More information about the K12OSN mailing list