From owner-freebsd-questions Wed Apr 18 11:34: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns.internet.dk (ns.internet.dk [194.19.140.1]) by hub.freebsd.org (Postfix) with ESMTP id 570BB37B423 for ; Wed, 18 Apr 2001 11:34:05 -0700 (PDT) (envelope-from leifn@neland.dk) Received: (from uucp@localhost) by ns.internet.dk (8.11.2/8.11.2) id f3IIY4h43671 for freebsd-questions@FreeBSD.ORG.AVP; Wed, 18 Apr 2001 20:34:04 +0200 (CEST) (envelope-from leifn@neland.dk) Received: (from uucp@localhost) by ns.internet.dk (8.11.2/8.11.2) with UUCP id f3IIY3443657; Wed, 18 Apr 2001 20:34:03 +0200 (CEST) (envelope-from leifn@neland.dk) Received: from gina (gina.neland.dk [192.168.5.100] (may be forged)) by arnold.neland.dk (8.11.3/8.11.0) with SMTP id f3IIXt601813; Wed, 18 Apr 2001 20:33:56 +0200 (CEST) (envelope-from leifn@neland.dk) Message-ID: <009801c0c836$44c62780$6405a8c0@neland.dk> From: "Leif Neland" To: "bukky oluwaranti" , References: <20010418120709.84329.qmail@web12003.mail.yahoo.com> Subject: Re: Internet access Date: Wed, 18 Apr 2001 20:34:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by ns.internet.dk id f3IIY3443657 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Our company is a big Insurance company having about > 150 workstation on a Netware 4.01 driven LAN. We > presently have Internet connectivity through an ISP > using direct Radio Link. All workstations are able to > hook unto the Internet via a FreeBSD-based Network > Address Translator (NAT) server. > > Our desire is to control indiscriminate Internet > usage. Can you please advise me on how to go about > this Internet access control to prevent staffs from > having access/ surfing Internet during office hour. If you want to discriminate between machines, all machines must have a fixed ip. Either you must enter the ip-adress on each machine, or you must setup your dhcp-server to always give the same ip to the same mac-adress. You must setup the firewall on your FreeBSD server so it is not possible to go directly to the internet, everybody must go through squid proxyserver. On squid you can make rules for during which hours access is open and when it is restricted. You can make rules for adresses which are always blocked, or always open. But you really should start with company rules: Define to your users what is acceptable use and what is not. Make it clear that usage can be measured and monitored. Decide beforehand what are the consequenses of abuse. Have all this in writing. It is really difficult to write a firewall rules to decide whether access to a site is nessecary for performing the job. It is better to have access under responsibility. Only if it goes entirely into abuse, you can consider applying technical limitations. But really, if you are trying to solve a problem with technical means, which should have been solved by the manager, the company has a much larger problem. Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message