Roy Ong wrote:
@Anton ... I understand where you are coming from, but try telling that
to the bosses of the smaller SMEs. They are just plain paranoid. They
worry about Facebook, MSN, MySpace, Twitter etc. In fact, some of them
even block all access to web emails and make sure all email in/out are
archived! (I couldn't access gmail using a client's network<sigh>)
@Hung ... Harish's suggestion of running a transparent proxy would be
the most appropriate and it doesn't take much effort. However, I would
like to add that education is still the best bet. Inform your friend
that there is no such thing as a true 100% block. There are so many ways
of by-passing such a proxy. Anton has already brought out a valid point,
what about Mobile Broadband sticks? While running a transparent proxy
will be sufficient to block, one still has to look at the broader
picture as to how you or your friend would like to deal with mobile
broadband etc. Essentially, the building blocks of such a configuration
would be as follows:
(a) get a dual-home linux machine ... nothing over powered. a used pc
could also be sufficient so long as you are not paranoid about hardware
failures ...
(b) connect one end of the linux machine to the router. configure this
on one subnet i.e. 192.168.0.0/255.255.255.0
(c) connect the other end of the linux machine to the switch where all
the other PCs are interconnected. this shall be on a different subnet
i.e. 192.168.1.0/255.255.255.0
(d) on the machine, install linux and configure the following
enable ip forwarding
enable iptables for masquerading
install dhcpd
configure dhcpd to give itself as the gateway
configure dhcpd with mac address reservations
i.e. mac address A will always get 192.168.1.200
i.e. mac address B will always get 192.168.1.201
install squid
configure squid for access rights
i.e. what sites to block for which IP address
i.e. what time to release the block
i.e. maybe 12-2pm no block etc...
(e) reboot and enjoy
That would be the main building blocks. It covers the major components
as to what is required for a transparent proxy but certainly, there are
still many loopholes as to one can bypass that transparent proxy (mobile
broadband, socks proxy, ssh forwarding etc. etc. etc.)
Hope this helps :)
On Sun, 2010-05-09 at 03:48 -0700, Anton wrote:
Here are two more, easily bypassable solutions:
- apply an ACL using Dlink's internal firewall;
- remove DNS settings from other workstations and specify IP
addresses for allowed site in the "hosts" file
Regardless of method, keep in mind new technologies such as mobile
internet before starting this thankless fight. I personally think it
is a bad idea which neither increases productivity nor creates
healthful environment in your office.
PS. It's something ludicrous in using open software for user's freedom
restriction.
On 8 May 2010 03:23, Harish Pillay<[email protected]> wrote:
Hi, my friend's office uses a simple dlink adsl modem/router for
internet/email. There are 5 peer to peer computers, all using windows op
systems. She has asked me how to allow only her computer to access all
websites but to limit the other 4 computers to only certain websites, eg,
all S'pore government sites, yahoo mail allowed, gmail allowed.
How do I build/configure a linux computer to do this?
You can run a squid as a proxy (and a transparent one at that) to effect this.
http://tinyurl.com/36pmohf
Regards.
--
Harish Pillay [email protected] gpg id: 746809E3
fingerprint: F7F5 5CCD 25B9 FC25 303E 3DA2 0F80 27DB 7468 09E3
Hi, thank you Harish, Anton and Roy. I am not very conversant with
Linux. The only reason why I mention Linux is because it won't cost much
money as can use old computer, 3Com network cards can get for less than
$10, Linux no fee to pay. Firewall appliance will be too much money.
I have install ubuntu etc but it was not for serious work usage . Just
to see see only. So I am not confident if building a linux box with
squid, etc etc.
Of course the other way is get a router that has access control list
build in. My friend mention that Dlink DIR-655 can do. It can block all
sites than you allow some sites. But I have to pay $169 for it (not buy
it yet). Anyone has experience with this router? Also how do one allow
all www.gov.sg sites or all .sg sites? Sometimes the site gets
redirected to another one, eg, www.singnet.com.sg gets to
www.insing.com... So need to allow traffic for 2 sites?
I understand what Anton is saying. I myself dislike restrictive controls
and believe in freedom and self responsibilty. But other office users
may not respect office policies. I have seen them chit chatting on MSN ,
surfing to various sites unrelated to work at all times of the day,
installing p2p prgrams, etc. I am not the boss so keep quiet.
Hung
_______________________________________________
LUGS Mailing list - [email protected]
List FAQ: http://wiki.lugs.org.sg/LugsMailingListFaq
Info page: http://www.lugs.org.sg/mailman/listinfo/slugnet
To unsubscribe send an empty email to: [email protected]
