From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 12:43:08 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 73C6716A400 for ; Wed, 11 Apr 2007 12:43:08 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.freebsd.org (Postfix) with ESMTP id 32A2A13C448 for ; Wed, 11 Apr 2007 12:43:07 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from archangel.daleco.biz ([69.27.149.254]) by ezekiel.daleco.biz (8.13.8/8.13.1) with ESMTP id l3BCglap052450; Wed, 11 Apr 2007 07:42:57 -0500 (CDT) (envelope-from kdk@daleco.biz) Message-ID: <461CD7C2.1040106@daleco.biz> Date: Wed, 11 Apr 2007 07:42:42 -0500 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.2pre) Gecko/20070221 SeaMonkey/1.1 MIME-Version: 1.0 To: DSA - JCR References: <2023.217.114.136.133.1176287010.squirrel@llca513-a.servidoresdns.net> In-Reply-To: <2023.217.114.136.133.1176287010.squirrel@llca513-a.servidoresdns.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Forbidding or not access to webpages of network users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 12:43:08 -0000 DSA - JCR wrote: > Hi all in this list > > I want to know if there is a way to forbid to network users the access to > fixed webpages. Possibly. > The example, I work in an enterprise in which several users are accesing > to webpages others than the enterprise's own. > > I want that the users can only access to the the webpages and services of > the enterprise, but also that 2 PC can access everywhere (the boss ones). > > Can I make it with FreeBSD? How? I have read the Firewall handbook pages, > but i don't know exactly if i can do it with PF, IPF or IPFW (or something > else). (examples?) A common solution is to install a proxy server (such as Squid [/usr/ports/www/squid]) and set the firewall to not allow traffic from any machines out to the WWW except the proxy server. Squid can utilize "Access Control Lists"; here's a statement from my "squid.conf": acl banned_sites url_regex -i "/etc/banned/porn" http_access deny banned_sites acl banned_sites2 url_regex -i "/etc/banned/games" http_access deny banned_sites2 You can also have an "allow only" list and deny all other requests. > My users are W2K. > > On the otherhand, I think this is a common problem, isn't it? ;D For many people, yes. Kevin Kinsey -- Rules for Academic Deans: (1) HIDE!!!! (2) If they find you, LIE!!!! -- Father Damian C. Fandal