nixCraft

Hi hope everybody is doing good.

I'm new to this Forum please excuse me while I adjust.

I need help with my squid on SuSE 10. I would like to know where do i need to place my squid box on my net in order for it to see and filter my MAC addresses?

Hope you can help me!!!

Thanks

we are doing great

You can place your box anywhere… generally most people run something as follows:

Allow LAN computer access to squid box only and not to router put firewall on squid box and squid itself.

If you need more help please hit reply button

Ok got that, but by doing what you say would i be able to filter (pas my MAC using my proxy server. On some comments i understood that MAC's are not routable????

thanks

My squid box is connected to the main router is that ok?

Yup it is ok to connect router to Linux server, as long as you have firewall (iptable...

Do not use this squid box any other purpose like file server or ftp or cvs server. Use as a dedicated box for routing internet traffic.

Do you really need MAC filters? What kind of setup… your own office setup or Cable ISP kind of setup?

In case if it is your office setup no need to go by MAC, impo. Squid itself provide quite strong access control along with authentication.

__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat

it's not an office, we have aprox 500 pc's of wich 300 must be granted access to internet through a proxy server filtered by MAC.

the problem is that we have 21 sub nets distributed in 7 IDF(VLAN'
in each vlan 1subnet is full access(no proxy), 1 subnet is restricted access(through proxy) and 1subnet is for VoIp.

question: for example if I have a PC in a subnet that must pass through the proxy server but cannot connect my proxy in front of my ISP router will my proxy be able to filter that PC by MAC.

thanks once again!!!

No, it is not possible.

Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

What is pointed out by monk is called Proxy Server Implemented With a Dual-Homed Host Firewall. This does not assumes you have multiple subnets. However if you are able to route traffic using router (may be software or h/w based) to this proxy server it should work.

This is not squid but a layer 3 issue. Squid can accept connection from any subnet but you need to configure ip routing correctly aka use multiple routers and the screened subnet, IMPO. This is called HTTP or squid proxying on in screened subnet architecture.

__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat

Ok I hope i'm not to much trouble but can you provide me a small design as to where too put my proxy box?. Our main switches are layer 3 wich are connected to the main router. so startarting is:

Main Router==>two main switches (layer 3)==>rest of switches

and also can you give me an axample of ip routing or where can i find examples similar to what you are telleing me?

I really appreciate all you peoples help, never tried this forum before but the linux community is great.

thank you!!!

I think you need to get a good book - coz security and firewall is complex topic. Your issue/topic seems to quite complicate to me. What rockdalinux said was available in a book called

Building Internet Firewalls by D. Brent Chapman, Elizabeth D. Zwicky

It is written in language that is easy to understand and has a lot of nice diagrams.

A quick google query gave me following url too
http://wp.netscape.com/proxy/v3.5/using/

Netscape Proxy Server Deployment Guide – not exactly squid related but it has all the diagram or architecture stuff u need to implement

Good luck with your work and keep us updated on this issue

__________________
Friends - v-nessa - missyAdmin - LinuxChix