Greetings,

I already have a machine at the gateway of my network performing NAT and FW tasks. I'd like to configure a proxy behind that machine in order to log/report user's web usage, control Internet access and possibly even schedule when the Internet is accessible and when it shouldn't be (i.e. allowing employees to only access the Internet during their lunch hours). From what I've read, it seems like Squid should help me in this quest.

The problem is I haven't found too many documents on putting squid behind a FW. It seems like most focus on it being the actual NAT or gateway.

Here's my questions:

1) Is it possible to run squid behind a FW?

2) Can you run Squid on one network card?

3) If two network cards are required and it can run behind a FW, should the machine be setup just as a basic router (i.e. 192.168.1.0/25 to/from 192.168.1.128/25) before Squid is added?

I appreciate any help you can provide.

Thank you for your time,

Joshua

Scheduling internet access can be done with iptables. In the frontend Fwbuilder you can easily add timeframes to firewall rules.

Logging web usage could be done as well with logging the appropriate firewall rules, but it sounds like an unethical (and illegal) privacy invasion to check how somebody uses the web. Why should you care?

Moloko,

Thank you for the quick response.

I haven't heard of FWBuilder, I appreciate the heads up.

I don't think the logging in iptables is comprehensive enough to gather the type of information I'm looking for, but then again, I haven't done a vast amount of research from that perspective.

"Why should you care?"

Well, in my environment, the Internet is a privilege and not a right. With all of the spyware, viruses, information harvesting software, key loggers, etc. that can be unwillingly installed through malicious web pages, I want to be aware of where my user's are going.

In terms of money and labor, I also want to know how much time someone spends with their browser open. In my environment, the browser open means that the person is surfing and possibly not working which is obviously another problem because we don't have any other purpose for the browser to be open (no web apps, etc.).

I've had all-in-one boxes that have recorded this type of information. IMHO there is nothing wrong with this protocol. The user's are made well aware of it as soon as they step through the door because I don't want them to do it. In a sense, it's a scare tactic, but I want it to have some rational also.

Once again, thank you. I'm going to look into the FWBuilder right now.

Regards,

Joshua

I would recommend using Squid because it is scalable and robust. You shouldn't have any trouble running squid within a NATted environment unless your default policy is to drop all outbound traffic or you are not running a stateful firewall. There is no need for an additional NIC, but if your default policy is to drop all outbound traffic then I would make a rule allowing all outbound traffic from the Squid box. The ideal situation would be to run Squid on the same box the Linux router were on, that way Squid could use the public IP for outgoing connections (without being NATted) and the clients could connect to the internal IP.