Security :: Transparent Firewall With Squid / Dansguardian?
Feb 23, 2010
I am looking to redesign my network which I'll get into bellow but basically i am looking to setup an transparent/bridged firewall with squid and dansguardian. However, I want to require LDAP authentication to access internet. You'll understand why from diagram below.
My question is, since bridged firewalls operate at layer 2 and have no/require no IP address, can you access higher layered apps with them? Example would be to have the proxy authenticate to LDAP system to check for valid user and valid net permissions, server has to somehow send a reply back, so without an IP, this can't happen right.
Below are two designs I am looking into implementing. Everything Internally will be Authenticated against LDAP with a small possibility of some public servers using LDAP too, but in my way of thinking anything using LDAP would should be behind the router on private link. FYI, the PROXY and the Linux Router would be two physically separate systems. So I guess my second question would be, can systems outside private network access limited internal services securely and be restricted at the same time?
Code:
Option 1:
(TRANSPARENT)
------------ -------------
| CBL MODM | ---------> | PROXY/FW |
------------ -------------
[code]....
View 4 Replies
ADVERTISEMENT
Jun 11, 2009
can anyone give me the solution how to configure dansguardian on squid transparent proxy.i m using
linux - slackware
squid - squid-2.6-stable18
dansguardian - 2.10.1.1
squid transparent proxy is working properly.
View 2 Replies
View Related
Jan 14, 2011
is this possible on 2 Linux boxes will act as a INTERNET Firewall + Filtering: 1st PC = CENTOS 5.5 functions as a firewall using iptables with two NICS 1=ETH0 connected to internet with a public ip and 1=ETH1 with ip address of 10.0.0.1 connected to the 2nd PC Centos 5.5 with squid/dansguardian with ip address of 10.0.0.2
2nd PC = Centos 5.5 functions as a squid + dansguardian internet filtering with 2 NICS 1=ETH0 with ip address of 10.0.0.2 connected to the ETH1 of the 1st PC with ip address of 10.0.0.1 and 2nd ETH1=connected to LAN (172.16.1.0/24)
does this make sense? this might be confusing but I just want to try this, to protect incoming ssh from our previous Sys admins who intended to enter the LAN 172.16.1.0/24 network. And also to confuse them that they have to pass through 10.0.0.1 - 2.
View 3 Replies
View Related
Jul 19, 2009
I have configured squid with AD. It is working fine. Now I want to use dansguardian with squid for web filtering on group bases, what should I do. What configuration i have to do in squid for dansguardian and all my users in AD also authenticate with dansguardian and also how I use dansguardian.
View 1 Replies
View Related
Apr 14, 2010
I'm involved in a project to students set up a network security training lab using vmware. I want to simulate (in a very rough way) scanning through a poorly configured router or firewall. The easiest way I can think of to simulate this is to use a linux vmware image with two virtual nic cards to act as a firewall with the attacker on the outside network and a domain controller, web server, and database server on the inside network.
I would like to start students off with a firewall script that exposes everything on their internal network to the attacker. Is there an easy way to (mis)configure iptables to do this?. The model I'm trying to replicate is something like this. Attackers were on a 10.10.x.x network, defenders were on a 192.168.x.x network. As an attacker I could nmap 192.168.x.x and see every machine and every service on the defenders side even if they moved a service to an unexpected location. how I can implement a similar configuration using a linux image as firewalls/routers in vmware?
View 1 Replies
View Related
Mar 1, 2010
I have installed dansguardian and squid on my home computer and I need to configure them. the only problem I couldn't find any manual only one for opensuse 9. And even there the part after "acl CONNECT method CONNECT" doesn't make any sense to me.
View 1 Replies
View Related
Dec 5, 2010
I have installed squid and dansguardian on my server, I also setup my iptables to forward port 80 communication to port 3128 (squid). I also have remove the comment on /etc/dansguardian/dansguardianf1.conf (line "bannedextensionlist") hoping that my server would block download. But it isn't, it still download file no matter I add in /etc/dansguardian/lists/bannedextensionlist. Oh yeah, I also add this line to my /etc/squid/squid.conf
Code:
cache_peer 172.16.1.212 parent 8080 0 no-query default
so that squid will consider dansguardian as it's parent.
View 2 Replies
View Related
Jan 15, 2011
I've been pulling my hair out and can't figure out what's wrong. I have dhcp, squid, and dansguardian all running on my server, but when I point a client to it for a proxy (192.168.1.15:8080) and try to get to a website, nothing happens and the connection times out. When I don't bother with the proxy, the client has no trouble getting to the internet. I've verified I can ping the server and gateway from both machines. And the services are running, no errors noted in the logs. Do I need to do any iptables or selinux changes?
My network is very basic, several clients on the same network as the server, connected to a verizon gateway. Local addresses are 192.168.1.x. The server is 192.168.1.15, gateway is 192.168.1.1.
I'm using:
* squid-7:3.1.8-1.fc12 (x86_64)
* dansguardian-2.10.1.1-3.fc12.x86_64
* Fedora 12
My squid config file:
Quote:
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
[code]....
View 18 Replies
View Related
Mar 18, 2011
I have around 9 squid proxy servers and going to deploy Dansguardian on all of them. But I feel managing individual copy/server would be an tedious job hence please let me know if any one aware of centralized management solution for Squid+Dansguardian? Or if not let me know if you are aware of any such other Open Source product.
View 1 Replies
View Related
Mar 4, 2010
I have squid running perfectly and I added MySQL Squid Access Report 2.1.4 and the reports works just fine. The problem its when I add a dansguardian content filter, from that moment the only IP address that appears on the report its the box itself (I have all running on the same box).
IPtables forward requests to port 8080 Dansguardian listening on port 8080 forwards to squid on port 3128 Squid on port 3128 to internet (Here I review the logs with MySar).
I know it is because the actual http request for Squid came from Dansguardian's IP address (its the job of the proxy). how to have the real IP address on the reports.
View 1 Replies
View Related
Jan 21, 2011
I am trying to learn DansGuardian for content filtering, but for some reasons it is NOT working for me. equest is directly getting routed to SQUID, it should come first to DansGuardian and then to SQUID.I have created the below scenario on CENTOS 5.5 boxes.
Code:
192.168.0.10box1.test.comYUM/HTTP SERVER
192.168.0.20box2.test.comYUM/HTTP CLIENT, SQUID SERVER
[code]....
View 4 Replies
View Related
Mar 22, 2011
I have a proxy server (squid-3) that I would like to setup Dansguardian to do additional web filtering.
The system:
Ubuntu 10.10 - all updates as of today
Dansguardian - 2.10.1.1-2ubuntu0.1 (latest update)
Squid3 - latest update (not squid 2.7)
Webmin - 1.530 (all updates)
Webmin dansguardian module - 0.7.1
Ok - I have all of the above installed. When I go to the DG module page in Webmin, I get the following:
Warning - the version of DansGuardian you have is not supported by this Webmin module version
Webmin Module Version 0.7.1 supports DG version 2.10 (& 2.9)
Currently installed DG version
This obviously makes no sense, since I am running DG version 2.10.1...
PS. I have squid installed, but not configured (still tinkering) - could this be the problem? That squid needs to be running for DG to work?
View 2 Replies
View Related
Jun 1, 2010
I want to block yahoo mail chat in dansguardian. I had google few thing I come to know that I need to do this. Locking DNS lookups to webcs.msg.yahoo and httpcs.msg.yahoo by returning 127.0.0.1. I haven't have dns configured. So what I need to do solve this problem. I had tried by making an entry in etc hosts file. but it didn't worked.
View 3 Replies
View Related
Apr 14, 2010
I have Squid and Dans set up on a passthrough box with 2 nics, port 80 requestsEverything is working great. I need to know if there is a way to set up Dansguardian so that a user can enter a password on a blocked page to access it.
View 3 Replies
View Related
Jul 23, 2011
installed dansguardian and now working fine.I got a small problem. People bypassing proxy settings in firefox, means they go to settings and changes proxy settings to no proxy.. how to prevent this? How can I force people to use proxy to connect Internet? I done some googling but, unable to find a solution.
View 3 Replies
View Related
Oct 5, 2010
I would like to be able to get squid or dansguardian to authenticate a user account against active directory so that a users browsing activities can be logged.
I can find lots a very useful info on how to set up ntlm_auth etc, but all of these methods produce a pop up window when the user launches the browser.
I'm posting this thread because I would like to be able to authenicate, but without a pop up window. Is there a way of automatically carrying out this authentication so that the user is unaware of it.
We've previously attempted authenticating against an NT4 PDC, but the users worked out that they could use any user account on the network, not just the user that was logged in which kinda defeated the whole idea of logging the users activity.
My current setup is:
Windows 2003 AD
Windows XP Clients, soon to be converted to windows 7.
Fedora 11 running squid and dansguardian.
View 2 Replies
View Related
Apr 7, 2009
I am trying to configure squid with Fedora 10 to use it as a transparent proxy webcache.Is there any good tutorial you would recommend to a novice?
View 1 Replies
View Related
Apr 2, 2009
i have configured transparent squid with dansguardian for content filtering i used this squid server ip on client gateway(not on browser) for content filtering, is it possible that i could use this squid server in different VLAN.
View 3 Replies
View Related
May 1, 2009
to configure squid as a non-transparent proxy? I understand https cannot be filtered using squid as a transparent proxy. So i need to find out how to configure squid for https filtering.
View 1 Replies
View Related
Sep 28, 2009
I am trying to set up squid to make switching proxies easier. I have a laptop which I use at work and at home. At work, I need to connect to the internet via a authenticated proxy. At home, I connect directly to via mobile broadband. So I end up switching proxy settings twice daily, which is just irritating! To solve this I want to set up a system whereby I never have to worry about a proxy - my browser sees a direct internet connection which squid (on my computer) intercepts and forwards either to the mobile broadband connection or to the work proxy (along with the required authentication) depending on which is available. I've read various articles on how to do clever things with iptables and squid, but I don't understand enough of the networking jargon or concepts to know when I need to change to make it work in my situation, or if it is even possible.
View 2 Replies
View Related
May 6, 2011
I have set up squid3 and dhcp server on my Ubuntu 10.04 box with IP address of 192.168.0.160. Single network card.Squid runs on port 3148. Everything works fine for the users provided that I set up the proxy details manually on each client pc.I want to set up the Squid to run as a transparent proxy and after reading around I have done the following.In the Squid3 conf file I have entered http_port 3148 transparent.Dropping to Root ( sudo -i )However the transparent proxy does not work and if I enter iptables -L I can see that the rule above has not been retained. The default rules in iptables only show up.
View 5 Replies
View Related
Apr 26, 2011
How to make squid proxy transparent?I have configured a Squid proxy server with some ACLs but we have to check from client side whether those ACLs work or not ,I have to open their firefox and manually enter my machine's i.e. proxy server's ip, only after entering this ip , Those ACLs work properly.But now I want to make it work without manually entering the proxy on clients machine.I guess transparent proxy is the solution, but how to configure it/Please guide me and I am one of the machine in LAN.
View 1 Replies
View Related
Apr 26, 2011
http_port 3128 transparent --> What does this mean? Is this a only thing we do to make Squid Proxy Transparent?
View 2 Replies
View Related
Jun 30, 2010
I am trying to install Squid 2.6 as Transparent proxy server.Can anyone provide the step by step configuration details
View 8 Replies
View Related
Jun 22, 2011
i m using centos 5.6 x86 give us guideline if possible, we have squid transparent proxy, the ip is set 10.0.1.85, this is as gateway we enter in window client pc to browse. now we want to block some website so we try below two method does not work, can you check if anything wrong in this, we enter this all starting of file squid.conf.
View 3 Replies
View Related
Aug 23, 2010
I just finished setup a proxy machine that runs in a separate box from gw.
I have the following iptables rule
on squid box
Code:
Code:
Here's an example
Code:
My question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.
View 1 Replies
View Related
Aug 11, 2010
I'm mon webmaster/developer and I'm new in Linux. Our office suddenly needs to setup a proxy server. Ubuntu Squid proxy server immediately came as an option for us. The question is: does transparent squid proxy configuration using Ubuntu will have no problem with computers running on Windows OS?
View 2 Replies
View Related
Oct 16, 2010
I have installed and tried both squid version as transparent proxy but they just don't work.
I have eth0 which is where my internet comes in and eth1 which is my local network 192.168.1.0/255.255.255.0.
My default firewall policy is to drop input output and forward, i have already set my firewall to accept and workout the squid and it is working.
Here is the relevant rules i have on my firewall:
Code:
Here is the sample conf i am using for squid:
Code:
Always_direct allow all When using version 2.7.x i was able to make it transparent when i used the below rules:
Code:
I readed the Docs on the squid page but the above rules can't be reproduced to 3.1 and i don't wish to use such rules to make it transparent or hidden so i want some help to figure out why it inst transparent.
View 2 Replies
View Related
Mar 3, 2010
I have a squid server set up with two ports:
http_port 3128 transparent
http_port 3129
Port 3128 is set up for transparent proxying (ie, if you send a request to the internet, iptables forwards it to 3128) Port 3129 is just a regular port. If you connect to 3129 directly, you get prompted for a password:
Code:
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid/squid.passwd
auth_param basic children 2
auth_param basic realm Squid proxy-caching server
acl password proxy_auth admin
http_access allow password
And this is actually working also. If someone signs then they are able to access unrestricted browsing (with squidguard). However, if they don't, they are transparent-proxied and have restricted browsing. The problem is I keep getting /var/squid/cache.log hits:
Code:
2010/03/03 17:11:04| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. Basically evertime there's a transparent request, it throws a warning.
View 2 Replies
View Related
Jun 3, 2009
I am using Fedora 9, I have compile the squid with source code, i also deleted the old RPM of squid. i then edited the squid.conf in /usr/local/squid/etc and set http_port 3128 transparent and allowed in my acl to my local network but the transparent proxy is not working. if i remove transparent proxy then squid works fine. when i try to make it transparent the squid access.log file does not show any request coming to it (no activity). i have also forwarded all the incoming traffic to squid port 3128. Can anybody tell me why my transparent proxy is not functional.
View 3 Replies
View Related
