Have you looked at the f<flameproof suit>linux transparent proxy support?
</flameproof suit>. You can say "if a comes in on port 80 destined
for anywhere, send it over here first". That way the users transparently
have all www traffic transparently routed to the proxy server. This is
good because a) the stoopid lusers don't have to change anything (neither
do the nice customers :), and b) you can change it with minimal effect
(ie: add multiple proxies etc...). This is bad because a) <flameproof>
it runs on linux, and some people have a problem with that </flameproof>,
b) if your proxy OR your redirector goes down your hosed, and c) you
have to make the linux box THE main router for all web customers
(thier packets HAVE to cross it..). This adds extra complexity
to your net. Its a good idea, but I'd seriously recommend having a
good clue before you go live (read test extensively), because other-
wise it won't be me needin the flameproof suit :)
If you did something like this, you wouldn't really need most of the
filters...
BTW: What are you using for a proxy? Squid? or did you go commercial
and buy Harvest Cache or something like that?
> >
> >Do I need to restrict HTTP traffic to the proxy server only and then
> >explicity allow
> >ALL other services (such ass IRC, NNTP etc..) in the filter?
>
> Yes. Sounds right to me. Realize that you need to have your dial-in clients
> configured to point their browser at that proxy server, or else you're going
> to have a lot of unhappy customers.
>
> alex
> Alex Henthorn Livingston Enterprises
> Senior Technical Product Manager 4464 Willow Road
> Product Marketing Engineer Pleasanton, CA 94588
> alex@livingston.com Voice 510-737-2156 Fax 510-426-8951
>
>
----------------------------------------------------------------------------
Ryan Mooney Phone (602)265-9188 PCSLink
ryan@pcslink.com Fax (602)265-9357 Internet Services
The world needs more bitter, twisted souls. It would be a much better place.
-----------------------------------------------------------------------------