[K12OSN] OT: Squid/Dansguardian but who did it?
Mike Ely
mely at rogueriver.k12.or.us
Thu May 11 17:15:45 UTC 2006
pogson wrote:
>
> Barry R Cisna <cisna-barry at wc235.k12.il.us
> <mailto:cisna-barry at wc235.k12.il.us>> wrote:
>
> /Of course if the student knows how to take out the proxy number in/
> /Internet Explorer, they are home free anyway:(./
>
> You can prevent that by transparent proxy.
>
> You can also force use of the proxy by having the firewall on the LTSP
> server and blocking port 80 access unless it comes from squid. You can
> set up squid ACL to prevent access to port 3128 by anyone but the
> dansguardian user. The only port left is 8080 to get into dansguardian.
>
That's the way to go IMHO, and not just for the LTSP lab. Around here,
we've actually gone to the point of blocking all outbound ports
districtwide and whitelisting only those ports that are needed for a
particular purpose - 443 and the occasional odd port that some website
has been set up on that someone in the district uses. This eliminates
access to various IM applications and other problematic matters, such as
outbound propigation of email viruses, as only the mailserver is allowed
to use port 25. Port 80 and 8080 get redirected through the proxy,
which eliminates the need to have each client set up to use the
(transparent) proxy, and also makes it pretty much impossible to avoid it.
Again, auth is a piece I've looked at, but given that students don't yet
have their own network accounts, it'd be pointless.
Mike
More information about the K12OSN
mailing list