Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-17-2005, 03:58 PM
|
#1
|
LQ Newbie
Registered: May 2005
Posts: 2
Rep:
|
Squid behind a NAT/FW
Greetings,
I already have a machine at the gateway of my network performing NAT and FW tasks. I'd like to configure a proxy behind that machine in order to log/report user's web usage, control Internet access and possibly even schedule when the Internet is accessible and when it shouldn't be (i.e. allowing employees to only access the Internet during their lunch hours). From what I've read, it seems like Squid should help me in this quest.
The problem is I haven't found too many documents on putting squid behind a FW. It seems like most focus on it being the actual NAT or gateway.
Here's my questions:
1) Is it possible to run squid behind a FW?
2) Can you run Squid on one network card?
3) If two network cards are required and it can run behind a FW, should the machine be setup just as a basic router (i.e. 192.168.1.0/25 to/from 192.168.1.128/25) before Squid is added?
I appreciate any help you can provide.
Thank you for your time,
Joshua
|
|
|
05-17-2005, 04:52 PM
|
#2
|
Member
Registered: Mar 2004
Location: Netherlands
Distribution: Debian
Posts: 729
Rep:
|
Scheduling internet access can be done with iptables. In the frontend Fwbuilder you can easily add timeframes to firewall rules.
Logging web usage could be done as well with logging the appropriate firewall rules, but it sounds like an unethical (and illegal) privacy invasion to check how somebody uses the web. Why should you care?
|
|
|
05-17-2005, 05:43 PM
|
#3
|
LQ Newbie
Registered: May 2005
Posts: 2
Original Poster
Rep:
|
Moloko,
Thank you for the quick response.
I haven't heard of FWBuilder, I appreciate the heads up.
I don't think the logging in iptables is comprehensive enough to gather the type of information I'm looking for, but then again, I haven't done a vast amount of research from that perspective.
"Why should you care?"
Well, in my environment, the Internet is a privilege and not a right. With all of the spyware, viruses, information harvesting software, key loggers, etc. that can be unwillingly installed through malicious web pages, I want to be aware of where my user's are going.
In terms of money and labor, I also want to know how much time someone spends with their browser open. In my environment, the browser open means that the person is surfing and possibly not working which is obviously another problem because we don't have any other purpose for the browser to be open (no web apps, etc.).
I've had all-in-one boxes that have recorded this type of information. IMHO there is nothing wrong with this protocol. The user's are made well aware of it as soon as they step through the door because I don't want them to do it. In a sense, it's a scare tactic, but I want it to have some rational also.
Once again, thank you. I'm going to look into the FWBuilder right now.
Regards,
Joshua
|
|
|
05-17-2005, 11:18 PM
|
#4
|
Member
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59
Rep:
|
I would recommend using Squid because it is scalable and robust. You shouldn't have any trouble running squid within a NATted environment unless your default policy is to drop all outbound traffic or you are not running a stateful firewall. There is no need for an additional NIC, but if your default policy is to drop all outbound traffic then I would make a rule allowing all outbound traffic from the Squid box. The ideal situation would be to run Squid on the same box the Linux router were on, that way Squid could use the public IP for outgoing connections (without being NATted) and the clients could connect to the internal IP.
|
|
|
All times are GMT -5. The time now is 09:33 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|