From owner-freebsd-hackers Sat Jun 29 16:12:27 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC29537B400 for ; Sat, 29 Jun 2002 16:12:20 -0700 (PDT) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3F6343E1D for ; Sat, 29 Jun 2002 16:12:19 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from pool0102.cvx22-bradley.dialup.earthlink.net ([209.179.198.102] helo=mindspring.com) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17ORO3-0006v0-00; Sat, 29 Jun 2002 16:12:16 -0700 Message-ID: <3D1E3EA7.6F7CFC2E@mindspring.com> Date: Sat, 29 Jun 2002 16:11:35 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Nielsen Cc: Joao Carlos , Luigi Rizzo , Ken Ebling , freebsd-hackers@freebsd.org Subject: Re: ipfw/dummynet suggestion References: <000801c21f1c$029cefe0$0201a8c0@Ken> <3D1D4EB3.9410011@mindspring.com> <20020629170251.65DDB43E13@mx1.FreeBSD.org> <20020629110237.A73787@iguana.icir.org> <001f01c21f99$3c363cc0$1e6eb0c8@pchome> <3D1E2B38.A70658EA@mindspring.com> <20020629225348.F2DAD43E06@mx1.FreeBSD.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Nielsen wrote: > > Seriously, I'm wondering what "security restrictions" are so > > onerous that users are willing to change their IP addresses to > > get around them, and why they are there in the first place? > > Well in certain cases it's company policy that certain machines (ie: users) > can't browse the web during certain hours. I didn't make the rules, just > asked to implement them. Yes, this is the same restriction that we were asked to implement in the InterJet, even though it meant the proxy software had to be non-transparent in order to grab credentials, and made life very complicated for all the engineers. I rather expect that you will find people fighting to step on the MAC address of any middle and upper management machine that spends any time at all in the "off" or "undocked" state. If your users want, I can give them some pointers to sites on how they can do this under Windows. 8-). Luigi is right: the only place you can really do this at this level is under Windows. The other alternative is to run a socks proxy, and make them use that to get out to the Internet, giveing internal users a non-routable IP address and/or simply blocking the entire netblock, minus a couple of static IP addresses (e.g. the gateway server/socks server). Unless you are in a country that charges for the sending of packets (like Japan), then you probably should not be trying to block employees from going to www.m-w.com in order to use a thesaurus. Note that there are a number of Windows products available (e.g. "CyberPatrol", etc.) that can do what you want from a single machine, as long as they are located somewhere on the wire out (they do it by forging failure packets back from the remote system the user attempts to contact). Maybe you just need to buy a copy of "NetNanny" or whatever? -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message