Hello ,
I have install web-proxy on my RB411 and did the firewall redirect and added this rule now I can see the counter go up whenever I try to enter the site
but is there any way I will know who is trying to enter?
mac address of the device?

Thanks ,

but is there any way I will know who is trying to enter?
mac address of the device?

I didn't get it exactly, So can you say more?

There's no logging option in the access rules list, so nothing that simple for you.

Maybe try increasing the log level for web proxy events and seeing if the source IP is available that way.
If so, then you could probably make a more specific logging rule that only matches when the proxy denies access, and stores that in a log file or to a remote syslog server.

I didn't understand what you are suggestion

all want to see is who is trying to enter the "forbidden" sites
not just to see how many times ,

?

Thanks ,

Maybe the title confuse. "How" should be "who"

I didn't understand what you are suggestion

all want to see is who is trying to enter the "forbidden" sites
not just to see how many times ,

?

Thanks ,

Sorry - I mean go into system logging, create a new log rule for topic web-proxy. For now, leave the action=memory.
Watch the log viewer and try to access a forbidden site.
Watch what the log entry looks like.
Then adjust your log rule to match only such log entries, or as few as possible.
Make a new action that logs to disk - set the file name to "proxy_denied.log" or whatever makes sense, and choose a maximum lines / file that makes sense.
Change your web proxy logging rule's action to this new specific logfile.
Now you can download this log file to your computer and read it any time you like.

I don't know whether you test the Syslog and Webproxy while you are running proxy software e.g. free gate or hotspot shield (those software as we know them as Evil software) or not.
As I see, when you use such software, all the logs goes down. Just show you that one of your computer made some connection, but to where, how, what amount and etc is unknown. That's why they call it Evil. So for our network this should be considered.

There will always be an arms race between the controllers and the power users.

Our office uses a monitoring solution to filter web content. They've just had to update their software a lot due to many websites switching to SSL by default. As an employee of a company that wants to filter the web, I dutifully do what I can, but secretly, I laugh about it because I'm against such technology and am happy every time SSL or tunneling defeats things like this.

I've even heard that there is a VPN over DNS technology.
Not udp 53, but actual live DNS queries!

VPN over DNS?
what is it?

The only usage of VPN which is used by majority of people in my country is for proxy purposes and passing filter contented websites. And of course some company used it for their network. but VPN over DNS??

I'm not sure how it worked, but supposedly it could encapsulate packets into RR data and the client could request these to get packets and the other side would do the same. I guess they had specific host names to request.
Of course the "authoritative" server for these RR wasn't a real DNS server but the VPN endpoint. Some subdomain points NS delegation authority to this server for some clever subdomain.

You could definitely uuencode a file and store it as a sequence of TXT records on DNS if you wanted, right now.
If you pgp encrpyted the file first, and then uuencoded the file and stored the results in TXT records.....

Then you could litterally serve files securely from a DNS server.

Suppose some powerful domain like google.com created a service to host these - they would let you get some arbitrary sub-domain myfileisgood.google.com and they could simply point an NS authority delegation to whatever server you choose and the blocks would be on your server as:
block-nnnnnnn.myfileisgood.google.com TXT "first block of the file"
block-nnnnnn1.myfileisgood.google.com TXT "second block"
Once the client's DNS server knows that *.myfileisgood.com is answered by your server, it never bothers google again so it wouldn't even add load to their public DNS servers.....

Would you be so bold as to block subdomains of google.com in your live DNS?

Or the data could be encoded into valid character sets for hostnames and stored as CNAME or MX records so you wouldn't be able to block TXT type queries....


Am I now evil?

.
.
.
.
One of my law in computer's stuff learning Is to know the lowest level of one thing, one knowledge or one matter. So you would know how system works.
And for these DNS stuff you said, Thank you ZeroByte fascinating

I have try to do what you said
open a loggin with web-proxy

but there isn't any MAC address there - only the IP I gave to the device
so if we will try the next day - I can't know that this device try 2 times now ...(probably because he got another IP)

Thanks ,

If you can extract the IP addresses from the logs, then you will also need to log DHCP assignments in order to have complete information. This is because web proxy is an ip-based service. You could have a single proxy at the core of a large network, and it would not have access to the individual end users' mac addresses all over the network.....

O.k. I understand
Thanks ,