Ho do I set all PC's on the network to use system wide proxy via squid.
 

I successfully set up and tested a Linux box running squid and squidguard (using a blacklist) to block porn sites, the question is, if I set up each browser on each PC on the network to use that proxy address, it can be overridden simply by setting a browser back to 'No Proxy', defeating the use of a proxy.

Would I have to set up the proxy server as a DHCP server too and connect the WAN directly to that, then using a 2nd nic, connect that to a LAN switch, so that all the PC's on the LAN would have to go through the server first?, or is there another way to set all the PC's using either Linux or Windows to use the proxy server, system wide?

You could filter traffic at the router/firewall and only allow the proxy to browse web pages. That way, even if users are able to change the proxy settings in the OS or browser, they can't actually bypass the proxy.

The WPAD protocol can be used to distribute proxy settings across the network. Basically, you create a "wpad" A record in the local DNS zone, pointing to a system with a web server that serves out a small JavaScript/ECMAScript file containing a number of specific function definitions. Users can override this if they can change the proxy settings manually, so you'd still have to block them at the gateway.

If the PCs are running Windows, you can make it slightly harder for users to mess with the proxy settings with a Group Policy that locks the proxy settings in Windows/IE. This only works in Windows domain environments (with Windows servers or Samba 4), and if the web browser has proxy settings separate from the OS (like FireFox), the GPO won't affect users' abilities to change the settings.

There is WPAD but it doesn't really force users to proxy like you appear to want.

http://wiki.squid-cache.org/SquidFaq...guringBrowsers

The proxy.pac file or wpad is a great way to let your users access the internet. It does fail on some admin tasks. Some apps would have to have manual proxy settings edited like wget and such.

The problem is the topology it seems. There should not be a way for local users to defeat a remote proxy/firewall. That should be the only route to the wan allowed.

Anyone with a live cd or usb should not be able to bypass this.


I know it seems I disagree with sag47 slightly, I did give him a plus.

I use the Netgear WGR614v9 router can it be done using that router? if so, how?, I've only used port forwarding, and setting wifi authentication and the wifi MAC ACL and not much else.

The route the WAN takes is:-

WAN ---> modem ---> router ---> proxy, pc1, pc2, wireless laptop, LAN switch ---> pc3, pc4, pc5, pc6

Take a look at chapter 3, page 3 of the manual, under "Blocking Access to Internet Services".

I don't want to have all computers specifically for web browsing, if I use port filtering, this is just what will happen, if I use port filtering at the router, every computer on the LAN will not be able to do anything else but browse the web.

The idea of using squid+squidguard is to literally block porn sites, but still allow normal web browsing (ie, yahoo.com, ask.com google,com, but block sites like tube8, adultfriendfinder, etc etc) and still be able to use other internet services such as chat programs.

My proxy server is only set up for http filtering using squidguard and a very large blacklist, which means the url from a browser is sent on port 3128 to squid, then squid sends the url to sguidguard, and it's then checked against a blacklist, and if it's in the blacklist, the url is redirected to another site, but if not on the list, the url is allowed, but other requests using different protocols on ports other than 3128, would still be allowed, such protocols would be UDP used by the most common chat programs, such as Skype, MSN messenger, Yahoo messenger, IRC, GoogleTalk, etc etc.

What I would like to happen, is when a pc on the LAN is powered on, it uses my squid proxy server for all HTTP requests by default system wide, even if the browsers proxy settings are changed to 'No Proxy', without filtering for other programs most commonly used for chat, as most links clicked on even in IRC open an external browser, which would then still get filtered by squid.

I don't know if this is possible for the every day Joe, but my son at MIT said he can use Skype (which he does when he talks to me), and yahoo messenger, but is unable to view porn sites, which he said is great.

If you block HTTP traffic for every IP address on your LAN except the proxy, the exact opposite will happen: The PCs will be able to do anything but browse the web, unless they have the correct proxy settings.

If you want the PCs to use the proxy server even if the settings say "do not use a proxy server", the web traffic will obviously have to be redirected by some other component on your network, one that sits between the PCs and the web pages the users are trying to access. There are several ways to accomplish this:

1. Insert a proxy device between the gateway and the clients, and have it transparently intercept and redirect web traffic through its own proxy service. Many companies do this, but with your setup there's no way to insert anything between the wireless access point and the router, as they're the same device.
2. Have the gateway redirect web traffic through an external proxy. Your router doesn't support this setup.
3. Use the proxy server as the gateway/router and have it redirect web traffic transparently. This will work, and you can still use your existing router as a wireless access point.

I tried blocking HTTP service on the router to a range of IP's 192.168.0.2 - 192.168.0.99

192.168.0.1 is the gateway and 192.168.0.100 is the proxy, which evidently blocked all web access unless the browser is set to use the proxy, which does work, but, if the browser is set to 'No Proxy', then the web access is blocked, and the user will see this.

I even set the pc's to use system wide proxy settings, ie ubuntu = Preferences --> Network Proxy, windows --> control panel --> internet settings --> connections --> LAN Settings --> Use Proxy, but system wide also prevents other internet service access from running,,, sooo, basically I'm back to square one.

The only option is the have the proxy server between the WAN modem and the router. WAN --> proxy --> router, which means the proxy would need a 2nd nic.

If I used the proxy as a gateway/router,,, that would mean I would have to disable DCHP on the Netgear,and use it as a LAN switch which would prevent wireless access.

NIC'S support multiple IP addresses with virtual interfaces.

Google "<insert OS> virtual interface add"

In this scenario your proxy can still sit behind the router

WAN <- router <- 192.x.x.x subnet <- proxy/gateway -> 90.x.x.x subnet -> your private network

router <- proxy/gateway <- client

In that scenario, your router and wireless client machines will have different IP network ranges. This can still be circumvented by statically setting the IP address information (which could be accomplished using sniffing).

---------------------------------------------------

The first thing you have to realize is... there's a limit to how much you can control on your network. If users can use "other services" then they could use something like ssh tunneling and get to your said blocked porn anyways. For a home setup, which is what this sounds like, then my virtual interface solution above works.

If it's a business network then that may not be desireable for you in which case you need to invest in more than just a second nic if you want to up the control. Where I work we let everything fly open (not server firewalls) as in we don't block services. If an employee is caught looking at porn on the job they're fired. If a student gets a subpeona for downloading illegal content then we are obligated to hand their information over. It's a matter of trust between users and admins; and also users taking responsibility for their own actions. You can hinder productivity by attempting to block too many services which is why I posed these scenarios to you.

Set your rules as such:

1. Allow port 80/443 from <proxy server IP>
2. Redirect port 80/443 to <proxy server IP>
3. ???
4. Profit!

Make sure the rule to allow the proxy server is above the redirect as any decent router/firewall will follow the rules in order.

Filtering on 443 doesn't happen. The client creates an encrypted connection with the server and the proxy, as a middleman, can't do anything with the incomming raw encrypted data unless it intercepts the certificates and then forces it's own private certificates on the user... which doesn't happen in the real world and is bad practice.

Then consider using WPAD to distribute proxy settings to the browsers on the LAN.

Also, unless you specify a SOCKS proxy (which is an entirely different beast altogether), services other than HTTP, HTTPS and FTP should be unaffected by any proxy settings. They certainly are on my Linux and Windows systems.

Wireless access would work just fine. The Netgear would act as a wireless access point, and the clients on the WLAN would get IP addresses from the DHCP server on the LAN.

Thanks for everyone's help, but, I tried everything any anything, and I guess there is no defence against website porn, sooo, I've shut down my proxy server (I'll use it for something else), and set all pc's to direct connect, there's nothing I or anyone can do to stop kids from inadvertently (by accidentally from a typo, or deliberately) getting to porn sites, unless you got friends in the FBI that can set up a $3,000,000 system, but for the everyday Joe,,, it's not possible, actually it's impossible, even with a 30MB blacklist.

I use DNS poisoning on my domain to block spam and porn domains. It's by no means dynamic but it provides some defense by default (although clients can get around that by setting Google Public DNS or OpenDNS on their systems).

We've given you viable solutions here (i.e. use the Linux system as a gateway, put the System out front, etc.). All you need to do is look up documentation on the services and how to configure them. It costs a total of $0, but it does cost a lot of time and maintenance.

If you're dealing with high school students in a school system then I would say that your ideas about filtering web content are not misplaced. All I did was just outline some of the limitations of filtering so that you're *aware* of them. That doesn't stop other people from implementing it nor should it stop you if you're trying to protect children from content on the web. The scenarios I gave about not filtering are dealing with adults in a work and University setting.

Children and minors are a different story and I would say web filtering like that is a necessary function in a setting where minors regularly use systems.