0

I installed dansguardian in my Linux server. Everything works well except one thing: if a user sets a different proxy (outside my LAN) in his browser, he'll be able to bypass dansguardian. Can anybody help me on how to prevent this?

EDIT: I have on my server an access controller - ChilliSpot - that listens to all requests did on port 80. And that controller redirects all requests did to it towards dansguardian. So, I think that should be enough, but it isn't. Any thoughts on what should I do more.

N.B. I'm more like a 'Linux' newbie (even if I'm not just a newbie to 'Linux') than like a Linux guru.

artaxerxe
  • 521
  • 2
  • 10
  • 22
  • 3
    Do you allow outbound connections from your network ? You shouldn't if you want to enforce using the content filter. – drcelus Aug 24 '12 at 09:48
  • 1
    As mentioned below, you should block connections from your LAN to the WAN. `Chillispot` will not deny these connections it just acts as an access control, but you should make sure (using IPTABLES) that direct connections from inside your network to the internet are not allowed. – drcelus Aug 24 '12 at 10:07
  • @drcelus You're right, but if you consider that I set `ChilliSpot` to proxy all traffic to `dansguardian` (from `chilli.conf`), then I consider that direct connections to internet are not allowed. I think that I have a hole in my judgment, but where is it? – artaxerxe Aug 24 '12 at 10:21
  • Just try to telnet to the outside from one of your clients, if it succeeds, then you should check your firewall. Try port 8080, it is widely used by proxies. – drcelus Aug 25 '12 at 20:00
  • @drcelus I resolved it. There was a rule in my firewall in additon to `Chilli`'s rules. I only removed it and now everithing works great! – artaxerxe Aug 27 '12 at 05:16

1 Answers1

2

You should setup your firewall to block ports 80 and 443 so he is forced to use your proxy to get to the internet

Lock
  • 1,557
  • 6
  • 25
  • 33