Hello,
I have an installed base of about 35 customers that use a custom built Linux based firewall solution with most of the same components as ASL. We use Squid for Proxy etc... One of the things that many of our customers like is the fact that we have implemented an iptables ruleset that forces all outbound port 80 traffic to be redirected through Squid port 8080, which requires the user to Authenticate with a user/password. This prevents administrators from having to modify the configuration of 100 or so PC's sitting behind the firewall to use the proxy server and ensures that users can't just install Mozilla or something else to bypass the proxy.
Astaro seems to support a Transparent mode (redirect 80 to 8080) and an Authenticated mode (user/pw), but not a combination. Astaro support suggested putting in a rule that blocks all outbound port 80 and 443 traffc, so as to force all users to have to set their browsers to use the proxy. This is fine, but doesn't address the issue that admins then have to manage all of the back-end workstations.
We implement this functionalty with a very simple iptables rule:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
So.. I see a couple of options here, and the best one seems to be to put the proxy into Authenticated mode, and then add the iptables rule as the last step in the boot process, after the iptables rules have been loaded. This would ensure that it would load all the time, even after a reboot, but would not be modifiable from the Webadmin. Anyone have any comments or suggestions?
I'd like to request that Astaro consider a Transparent / Authenticated mode for their next release....
