This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

http proxy - how to block request to internal net

Hello All,

I work in school.
I use\test ASL with 5 NIC for 5 zones and all work great and excellent but...

1 NIC --> Internet
2 NIC --> DMZ for students servers
3 NIC --> DMZ for school public servers
4 NIC --> LAN for students computers
5 NIC --> LAN for administration computers

I have problem to block http proxy requests from the first internal (4 NIC --> LAN for students computers) to the second internal network in my ASL (5 NIC --> LAN for administration computers)

I have "LAN for students computers" selected in "Allowed Network" and "Drop" rule for ANY service from "LAN for students computers" to "LAN for administration computers" in "Packet Filter"

Please help,

Best Regards,

This thread was automatically locked due to age.

Parents

0 Vukasin over 21 years ago

are these networks routed trough the firewall?
Cancel
Vote Up 0 Vote Down

Cancel
0 WaMaR over 21 years ago in reply to Vukasin

Routed default by ASL
Cancel
Vote Up 0 Vote Down

Cancel
0 Vukasin over 21 years ago in reply to WaMaR

hmmm... i am not sure but i think that the squid is by default allowed to go anywhere (an automatic allow rule). You could use surfprotection and add the unwanted net to the blacklist. Also you can play around with
/var/chroot-squid/etc/squid.conf-default
and set some ACLs.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vukasin over 21 years ago in reply to WaMaR

hmmm... i am not sure but i think that the squid is by default allowed to go anywhere (an automatic allow rule). You could use surfprotection and add the unwanted net to the blacklist. Also you can play around with
/var/chroot-squid/etc/squid.conf-default
and set some ACLs.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 WaMaR over 21 years ago in reply to Vukasin

[ QUOTE ]
hmmm... i am not sure but i think that the squid is by default allowed to go anywhere (an automatic allow rule).

[/ QUOTE ]

Here I think, that you have right.

But surfprotection use with black list is inconvenient, I have to add host by host to black list. I can't add all second local network by network adress with mask.

And for intend buy ASL in order to don't make it manually by config files

I would like to request Development Team to add block or ACL funcionality for squid proxy to Web Admin
Cancel
Vote Up 0 Vote Down

Cancel
0 Vukasin over 21 years ago in reply to WaMaR

Well you can add a manual drop rule to the packetfilter (you can look at the tables and see in which chain it should go)
Cancel
Vote Up 0 Vote Down

Cancel
0 WaMaR over 21 years ago in reply to Vukasin

but as you know packetfilter rules in Web Admin has smallest priority than AUTO chains rules added automatically by ASL without possibility to edit
Cancel
Vote Up 0 Vote Down

Cancel
0 cyclops over 21 years ago in reply to WaMaR

that's another case for the hackers forum - have a look over there [:)]

Greetings
cyclops
Cancel
Vote Up 0 Vote Down

Cancel
0 Vukasin over 21 years ago in reply to cyclops

I didn't mean to add the rule from the webadmin but from the console (a hack, therefore I agree that this is a matter for the hacker's forum)
Cancel
Vote Up 0 Vote Down

Cancel
0 WaMaR over 21 years ago in reply to Vukasin

Manual solution of problem by Cyclops is here http://smlnk.com/LQpj

Thank you Cyclops

Best Regards,
WaMaR
Cancel
Vote Up 0 Vote Down

Cancel