| Author |
Message |
Squish
Guest
|
 Posted:
Thu Dec 01, 2005 9:23 am Post subject:
How to restrict Internet access for certain PCs to certain w |
|
|
I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA. |
|
| Back to top |
|
 |
Wolfgang Kueter
Guest
|
| Posted:
Thu Dec 01, 2005 5:22 pm Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
Squish wrote:
| Quote: | I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. [...]
|
Create for example the following architecture:
Router
|
|
|
Packet-filter
|
+---Proxy (e.g. Linux running squid)
|
+---PC_1
|
+---PC_2
|
+---PC_3
Restrict outgoing http traffic on the packet-filter in a way that only the
Proxy-box is allowed to. Create ACL's on the proxy according to your
needs. Whitelisting is a good idea for your scenario because managing
a long blacklist on the proxy reguires much more effort. Besides squid you
might also consider using squidguard which extends the filtering
possibilities of squid.
Of course the proxy might be placed on a third NIC of the packet-filter
but in this case you must not NAT from the LAN to the DMZ if you want to
use ACL's on the proxy based on the source IP. Besides source IP there are
other possibilities to create ACL's when using squid like
username/password authentification.
Wolfgang |
|
| Back to top |
|
|
E.
Guest
|
| Posted:
Fri Dec 02, 2005 1:58 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
Squish wrote:
| Quote: | I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
|
www.ipcop.org
Whack in IPCop, install the addonz filter, install the Cop+ mod, set it
to block everything bar whitelisted sites.
Cheers,
E. |
|
| Back to top |
|
|
Marc
Guest
|
| Posted:
Sun Dec 04, 2005 1:16 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
Instead of squidguard, you can also use ufdbGuard.
It has the same functionality as squidguard, but is 8-9 times faster.
You can download it from http://www.urlfilterdb.com or
http://sourceforge.net
-Marc |
|
| Back to top |
|
|
Charles Newman
Guest
|
| Posted:
Sun Dec 04, 2005 6:54 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
"Squish" <guest@yourplace.now> wrote in message
news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
| Quote: | I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
|
You will to have two proxy servers, like I have on my network. One
is unrestricted, and is filterd, and does not require authentication, and
the other, requiring authentication, is unfiltered. That way, those users
authorized for unfiltered access can log on to the unfiltered proxy.
You just need to run two proxy programs on a PC running something
like AllegroSurf. Then you just set up your proxies. ProxyPro is
good for this, as it supports authentication, and then you use another
filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall
appliance, you will need something with a little more muscle. |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Sun Dec 04, 2005 5:21 pm Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
"Charles Newman" <charlesnewman1@comcast.spam-me-not.net> wrote in message
news:dZidnTtLkPjIow_e4p2dnA@comcast.com...
| Quote: |
"Squish" <guest@yourplace.now> wrote in message
news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
You will to have two proxy servers, like I have on my network. One
is unrestricted, and is filterd, and does not require authentication, and
the other, requiring authentication, is unfiltered. That way, those users
authorized for unfiltered access can log on to the unfiltered proxy.
You just need to run two proxy programs on a PC running something
like AllegroSurf. Then you just set up your proxies. ProxyPro is
good for this, as it supports authentication, and then you use another
filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall
appliance, you will need something with a little more muscle.
|
Incorrect. With any Fortigate firewall appliance, I can filter by category
and create entirely different profiles to be applied to different sets of
IP's. No changes whatsoever are required on any of the machines, you simply
add them individually or via subnet masks to create groups which are applied
to the policies.
In the case of only wanting a very few addresses to be possible, rather than
only a few categories, I would simply create a set of whitelisted addresses
and/or top level domains, and enable that feature for the address groups in
question, leaving the others unfiltered. Or, I might still choose to block
porn and adware for the rest of the unfiltered PCs just for good measure.
You could add authentication to any of these policies if you choose, and
when the new firmware for these boxes comes out in a few weeks, it will even
use active directory groups to authenticate policies, and can even be
configured to allow an override to the category block with proper
credentials, allowing an admin to get to a different page for a special
download even on a filtered machine, for example. And it can all be logged.
The nice thing with this setup is that you can control it all centrally from
the appliance (via a browser); adding or removing pc's from each group, or
modifying the policies for each group as needed, without touching the PC's.
Not to mention you can enable intrustion prevention, Antivirus, SPAM
filtering, and VPNs on the firewall if you are interested in those also.
Is that muscle enough for you?
-Russ |
|
| Back to top |
|
|
Charles Newman
Guest
|
| Posted:
Mon Dec 05, 2005 6:36 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:zHBkf.4494$43.481@nnrp.ca.mci.com!nnrp1.uunet.ca...
| Quote: |
"Charles Newman" <charlesnewman1@comcast.spam-me-not.net> wrote in message
news:dZidnTtLkPjIow_e4p2dnA@comcast.com...
"Squish" <guest@yourplace.now> wrote in message
news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
You will to have two proxy servers, like I have on my network. One
is unrestricted, and is filterd, and does not require authentication, and
the other, requiring authentication, is unfiltered. That way, those users
authorized for unfiltered access can log on to the unfiltered proxy.
You just need to run two proxy programs on a PC running something
like AllegroSurf. Then you just set up your proxies. ProxyPro is
good for this, as it supports authentication, and then you use another
filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall
appliance, you will need something with a little more muscle.
Incorrect. With any Fortigate firewall appliance, I can filter by
category and create entirely different profiles to be applied to different
sets of IP's. No changes whatsoever are required on any of the machines,
you simply add them individually or via subnet masks to create groups
which are applied to the policies.
|
Thr problem is that most NAT Software, Hardware appliances, etc, use
dynamic addressing, via DHCP, so setting rules by address would not work
very well. Its the way that DHCP works. This was all part of the networking
course I had in college, back in 1999. |
|
| Back to top |
|
|
Triffid
Guest
|
| Posted:
Mon Dec 05, 2005 7:07 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
Charles Newman wrote:
| Quote: | "Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:zHBkf.4494$43.481@nnrp.ca.mci.com!nnrp1.uunet.ca...
"Charles Newman" <charlesnewman1@comcast.spam-me-not.net> wrote in message
news:dZidnTtLkPjIow_e4p2dnA@comcast.com...
"Squish" <guest@yourplace.now> wrote in message
news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
You will to have two proxy servers, like I have on my network. One
is unrestricted, and is filterd, and does not require authentication, and
the other, requiring authentication, is unfiltered. That way, those users
authorized for unfiltered access can log on to the unfiltered proxy.
You just need to run two proxy programs on a PC running something
like AllegroSurf. Then you just set up your proxies. ProxyPro is
good for this, as it supports authentication, and then you use another
filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall
appliance, you will need something with a little more muscle.
Incorrect. With any Fortigate firewall appliance, I can filter by
category and create entirely different profiles to be applied to different
sets of IP's. No changes whatsoever are required on any of the machines,
you simply add them individually or via subnet masks to create groups
which are applied to the policies.
Thr problem is that most NAT Software, Hardware appliances, etc, use
dynamic addressing, via DHCP, so setting rules by address would not work
very well. Its the way that DHCP works. This was all part of the networking
course I had in college, back in 1999.
|
Perhaps if your knowledge was a little more current, you'd have heard of
DHCP reservations, and would not post such nonsense.
Triffid |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Mon Dec 05, 2005 7:32 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
In article <79SdnbEoeqsQFg7eRVn-uA@comcast.com>, charlesnewman1
@comcast.spam-me-not.net says...
| Quote: | Thr problem is that most NAT Software, Hardware appliances, etc, use
dynamic addressing, via DHCP, so setting rules by address would not work
very well. Its the way that DHCP works. This was all part of the networking
course I had in college, back in 1999.
|
Showing your limited scope of knowledge again Charles.
Reservations - look them up, allow you to enter a MAC address and have
the DHCP service re-issue the same IP to the same node each time.
Additionally, a fixed IP would also allow rules based on IP for
filtering.
So, as with my WatchGuard Firewall and Web Blocker service, I can set
all Dynamic IP devices to be on a filtered connection and then a
specific range of fixed IP's to be on an unfiltered connection through
the firewall - heck, I can even authenticate with the firewall from any
"Filtered" location and due to a "User" rule I can even bypass the
Filtering at a filtered location.
You really need to learn more about networking Charles.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
|
Charles Newman
Guest
|
| Posted:
Wed Dec 07, 2005 4:37 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
"Triffid" <triffid@nebula.net> wrote in message
news:DpMkf.674$kt5.90369@news20.bellglobal.com...
| Quote: |
Charles Newman wrote:
"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:zHBkf.4494$43.481@nnrp.ca.mci.com!nnrp1.uunet.ca...
"Charles Newman" <charlesnewman1@comcast.spam-me-not.net> wrote in
message news:dZidnTtLkPjIow_e4p2dnA@comcast.com...
"Squish" <guest@yourplace.now> wrote in message
news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
You will to have two proxy servers, like I have on my network. One
is unrestricted, and is filterd, and does not require authentication,
and
the other, requiring authentication, is unfiltered. That way, those
users
authorized for unfiltered access can log on to the unfiltered proxy.
You just need to run two proxy programs on a PC running something
like AllegroSurf. Then you just set up your proxies. ProxyPro is
good for this, as it supports authentication, and then you use another
filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall
appliance, you will need something with a little more muscle.
Incorrect. With any Fortigate firewall appliance, I can filter by
category and create entirely different profiles to be applied to
different sets of IP's. No changes whatsoever are required on any of the
machines, you simply add them individually or via subnet masks to create
groups which are applied to the policies.
Thr problem is that most NAT Software, Hardware appliances, etc, use
dynamic addressing, via DHCP, so setting rules by address would not work
very well. Its the way that DHCP works. This was all part of the
networking
course I had in college, back in 1999.
Perhaps if your knowledge was a little more current, you'd have heard of
DHCP reservations, and would not post such nonsense.
|
But you are talking about very expensive stuff that only very large ISPs
can afford to use. Your typical garden varity NAt software or harware
appliance, that you mgiht find in your home or office, is not going to
have this. Only the largest of corporations can afford systems
sophisticated enough for DHCP reservation. |
|
| Back to top |
|
|
Guest
|
| Posted:
Wed Dec 07, 2005 6:14 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
Charles Newman <charlesnewman1@comcast.spam-me-not.net> wrote:
| Quote: |
"Triffid" <triffid@nebula.net> wrote in message
news:DpMkf.674$kt5.90369@news20.bellglobal.com...
Charles Newman wrote:
Thr problem is that most NAT Software, Hardware appliances, etc, use
dynamic addressing, via DHCP, so setting rules by address would not work
very well. Its the way that DHCP works. This was all part of the
networking
course I had in college, back in 1999.
Perhaps if your knowledge was a little more current, you'd have heard of
DHCP reservations, and would not post such nonsense.
But you are talking about very expensive stuff that only very large ISPs
can afford to use. Your typical garden varity NAt software or harware
appliance, that you mgiht find in your home or office, is not going to
have this. Only the largest of corporations can afford systems
sophisticated enough for DHCP reservation.
|
The NAT router I have at home (25 euro, good for securing the Windows
hosts not under my control) does this just fine. At least, if you mean
pre-assigning an IP to a MAC address.
Joachim |
|
| Back to top |
|
|
Triffid
Guest
|
| Posted:
Wed Dec 07, 2005 9:22 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
Charles Newman wrote:
| Quote: | "Triffid" <triffid@nebula.net> wrote in message
news:DpMkf.674$kt5.90369@news20.bellglobal.com...
Charles Newman wrote:
"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:zHBkf.4494$43.481@nnrp.ca.mci.com!nnrp1.uunet.ca...
"Charles Newman" <charlesnewman1@comcast.spam-me-not.net> wrote in
message news:dZidnTtLkPjIow_e4p2dnA@comcast.com...
"Squish" <guest@yourplace.now> wrote in message
news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
I have a few PCs that I want to limit their Internet access to nothing
more than Windows updates and AV updates. All other Internet access I
want blocked but I want to preserve LAN access via TCP/IP. Is there
an easy solution for this like a proxy software that I can place on a
server somewhere so that I do not need to configure each PC? I was
thinking about setting the gateway on these PCs (via the DHCP
reservation) to the IP address of the server with this software and
setting up various access rules on this server as necessary. This is
for a MS Windows environment but I could build and use a Linux box if
necessary. Please reply to the group, e-mail addy is not valid. TIA.
You will to have two proxy servers, like I have on my network. One
is unrestricted, and is filterd, and does not require authentication,
and
the other, requiring authentication, is unfiltered. That way, those
users
authorized for unfiltered access can log on to the unfiltered proxy.
You just need to run two proxy programs on a PC running something
like AllegroSurf. Then you just set up your proxies. ProxyPro is
good for this, as it supports authentication, and then you use another
filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall
appliance, you will need something with a little more muscle.
Incorrect. With any Fortigate firewall appliance, I can filter by
category and create entirely different profiles to be applied to
different sets of IP's. No changes whatsoever are required on any of the
machines, you simply add them individually or via subnet masks to create
groups which are applied to the policies.
Thr problem is that most NAT Software, Hardware appliances, etc, use
dynamic addressing, via DHCP, so setting rules by address would not work
very well. Its the way that DHCP works. This was all part of the
networking
course I had in college, back in 1999.
Perhaps if your knowledge was a little more current, you'd have heard of
DHCP reservations, and would not post such nonsense.
But you are talking about very expensive stuff that only very large ISPs
can afford to use. Your typical garden varity NAt software or harware
appliance, that you mgiht find in your home or office, is not going to
have this. Only the largest of corporations can afford systems
sophisticated enough for DHCP reservation.
|
Charles, why do you persist in telling us what appliances can't do when
you clearly don't know?
The firewall appliance in front of my home network supports DHCP
reservations, as did the cheap NAT router it replaced, as do most SOHO
appliances.
Triffid |
|
| Back to top |
|
|
Moe Trin
Guest
|
| Posted:
Thu Dec 08, 2005 1:55 am Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
On Tue, 6 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in article
<GL-dney_9NMEjwveRVn-oA@comcast.com>, Charles Newman wrote:
| Quote: |
"Triffid" <triffid@nebula.net> wrote
Charles Newman wrote:
This was all part of the networking course I had in college, back in 1999.
Perhaps if your knowledge was a little more current, you'd have heard of
DHCP reservations, and would not post such nonsense.
|
No, that's asking to much for Charles to learn ANYTHING beyond what was
taught in his single networking class.
| Quote: | But you are talking about very expensive stuff that only very large ISPs
can afford to use
|
Talk to your experts at CompUSA - DHCP reservations have been an available
part of most DHCP servers from the beginning, including very specifically
the _free_ versions that come with *BSDs or Linux. It's been part of the
DHCP specification since 1993 (see page 2 of RFC1541 dated October 1993),
and the ISC server found on many UNIX have had that capability even longer.
| Quote: | Your typical garden varity NAt software or harware appliance, that you
mgiht find in your home or office, is not going to have this. Only the
largest of corporations can afford systems sophisticated enough for DHCP
reservation.
|
How would you know, Charles?
Old guy |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Thu Dec 08, 2005 5:21 pm Post subject:
Re: How to restrict Internet access for certain PCs to certa |
|
|
| Quote: | On Tue, 6 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in
article
GL-dney_9NMEjwveRVn-oA@comcast.com>, Charles Newman wrote:
Your typical garden varity NAt software or harware appliance, that you
mgiht find in your home or office, is not going to have this. Only the
largest of corporations can afford systems sophisticated enough for DHCP
reservation.
|
That paragraph is really quite humorous.
Seriously Charles, have you ever looked -- in this decade, anyway? The last
few times I was helping some guy out with his $49 linksys or d-link router,
or even the freebee router from Comcast, The DHCP server had reservation
capabilities, which is how I implemented the port forwarded server that they
were asking for help with. DHCP reservation is garden variety, dull, simple
networking. I think at some point some place I have seen a DHCP server
without reservation capability, but I can't remember for sure.
"Only the largest of corporations can afford..." really it's quite funny.
About the only thing that's left in the space that "only the largest of
corporations" can afford is sophisticated application firewalls like
http://www.teros.com/, or sophisticated access control devices like
http://www.verniernetworks.com/, and devices in the SOHO to medium office
space are peeling back those functionalities every day, as is the open
source community. Individual systems that used to cost thousands or tens of
thousands are now bundled up on boxes starting under $1000, or can be
assembled out of various bits of open source if you have the time and the
skills.
-Russ. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in