If possilbe I want to set a proxy address for all users that can only be changed by root. Right now, I'm using IP tables to redirect port 80 traffic to the port that my proxy is running on but I would like to have my proxy run on my server and for my workstations to use that one proxy.

Does anyone have any ideas?

there is no single system wide proxy on linux, you would set it at a low level for low level apps, like wget using the http_proxy environment variable, but higher up gnome and KDE hold their own details like this in their own configuration service, gconf for gnome.

Do you know of any way that I can stop people unsetting their Firefox proxy address?

no, unkless there are suitable lockdown extensions available, but if they unset their proxy, then the surely their access should fail due to a firewall blocking them? otherwise you're implying there is a lack of security on your network...?

You know, that had slipped my mind - it would be blocked by the firewall. Thanks Chris.

I am running SmoothWall Express on my firewall, which uses dnsmasq & squid. It seamlessly proxies everyone on the LAN.

At present, I use dnsmasq's blocking capabilities, but that is because it is simpler & therefore less powerful. Eventually, I'll learn squid's more powerful syntax & use that.

Hope this helps.

what are dnsmasq's blocking capabilities? how does a DNS / DHCP server help here?

dnsmasq blocks in the following ways:

1. Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
2. Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
   Code:

   address=/obnoxious_advertiser.ru/127.0.0.1
   address=/doubleclick.net/127.0.0.1

If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".

An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage

Sorry I didn't post any links before.

still, not only is that an ineffective way to filter web usage, it also has nothing to do with enforcing proxy server usage - which is the thread's topic...

i've been using dnsmasq myself for a long time, one nice benefit is that it integrates dhcp leases and dns instantly by default, no complex trust keys with dhcpd and bind... but that's only a "block" from the reason you are doing those commands, it's actually just using dnsmasq's standard dns configurations and plain lying about an address... not exactly ideal. one thing that may be relevant in this situation is whether you actually do wish to provide global dns to the internal clients by default. if their web access needs to be via a proxy then they don't need to resolve those names...