[KLUG Members] Re: Members digest, Vol 1 #977 - 4 msgs

[Randall Perry]

At 11:00 AM 6/6/2003, you wrote:
<snip>
>OK, I understand what you're doing and that's agreeable. But you explicitly 
>configured the proxy setting. I *think*, if I recall earlier messages in this 
>thread (it's getting a little difficult to follow now), he didn't want to 
>configure clients to access the proxy, which would mean he wants transparent 
Correct.  But during testing, if adjusting the browser manually does not bring a site up, then I wouldn't point to the client's settings.  The proxy server might not have its DNS configured properly.
<snip>
>Otherwise, based on the results you report, I reckon default gw & DNS info are 
>not required at the client. Thank you for clarifying that, because I am in the 
>process of ditching squid on IPCop and running it on a different box and not 
>transparently. I would have gone through the trouble of handing out that extra 
>info when I didn't need to. So, thanks for saving me some effort!
You also have the indirect benefit of not having to worry about egress filtering so much.
Because there is no default gw listed (or DNS), users cannot use KaZaa, stream audio, or run other apps.  It also prevents trojans infecting the Windows boxes from calling home (because they don't know how to get out).

I am not saying that this is a _substitute_ for a good outbound firewall policy, but it just helps clean it up.

*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
      Randall Perry
          Senior Consultant/Instructor
      ------------------------------------------------
      Domain Logic Technology Solutions
          http://www.domain-logic.com
          Goshen, IN 46526
*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.