From owner-freebsd-questions Sun Jul 7 17: 1:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEB6737B401 for ; Sun, 7 Jul 2002 17:01:03 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3271E43E4A for ; Sun, 7 Jul 2002 17:01:02 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id g67NwCG28459; Sun, 7 Jul 2002 20:58:12 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Sun, 7 Jul 2002 20:58:12 -0300 (ART) From: Fernando Gleiser X-X-Sender: To: Steven Lake Cc: Subject: Re: Proxies and limited access In-Reply-To: Message-ID: <20020707205048.H11873-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 7 Jul 2002, Steven Lake wrote: > HI all. I've got one of our offsite locations that I was asked to > outfit with a proxy server friday (ok, so I'm slow getting to this) and > set it to lock down all access to the lan. > > Obviously normal for a proxy server. But here's the catch. This > will be inside of the normal security hardware that we have in place > currently. What they want it to do is to block all the employees in the > office, except a select few, from having ANY access to the internet. > They'll still have VPN access to the main network, but no internet access. > > They want to block this by internal IP address, and by login. So > if you have a qualifying IP address you will then be prompted to login to > the Proxy server in order to have net access. If you don't have a > qualifying IP address, you're blocked outright. Kind of double protection > to keep employees working instead of surfing. I'm looking for a good > proxy server port that will aid me in doing this and a tutorial on how > best to set this up. Any help is welcome. Thanks. > If you are planing to block HTTP/FTP only, squid is very good choice. You can set ACLs based on login name, src/dst IP, src, dst domain, URL, regexes and the like. There are a lot of good docs in the squid home page (http://www.squid-cache.org) for runing and configuring it. You can install it from the ports (www/squid24). If you need to proxy a lot of protocols, try socks5. The NEC implementation is free for non-comercial use and it's available in the ports. There is also a BSD-licenced implementation (Dante) which is also available in the ports. Fer > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message