Topic: How can i deny internet acces for some internal ips?

[Calin]

Hi,
my E-Smith works perfectly

But i had a litle problem.
In my local network there is one computer who shouldn't have internet access?
Is there any optional modul to adjust  this?

Or must i change the squid.conf or any other config file?

It must deny the IP 192.146.0.46 and 192.168.0.88

Thanks for help and sorry for my bad englisch.

have a nice weekend

Calin

[Cyrus Bharda]

Calin,

I use a squid proxy-auth rpm that basically allows me to do authentication based on:

1. username and password
2. ip address

Because here at work, only a select few need to have internet access at their computer I have put them on permanent IP's and set them to have internet access without any prompts.

All other ip's get a prompt for username and password, which is handy becasue if I need access on someone's computer for a min I can setup my username to have access to the proxy and bingo.

In your case it would probably be the opposite, set the computers that get access to permanent ip's, download this rpm from www.e-smith.dnydns.com and install and then you will need a fragment that I use to edit it to allow insertion of source ip's, which I can email to you, and simlpy add all ip's to the access list.

Bingo all other computer but 1 have internet access

Cyrus Bharda

[Craig Jensen]

> then you will
> need a fragment that I use to edit it to allow insertion of
> source ip's, which I can email to you, and simlpy add all
> ip's to the access list.

Cyrus, I would be interested in that fragment if you don't mind

Thanks

Craig D. Jensen
cjensen@acenet-tech.org

[Cyrus Bharda]

Craig,

Suddenly I have gotten several requests for this fragment, so I am in the process of uploading it to my area of contribs.org.

So soon it should appear here:

http://mirror.contribs.org/smeserver/contribs/cbharda/contribs/squid-auth/

Please be patient as I am uploading several other rpms at the same time, and I only have a 56k modem connection so it might take 20 to 30 mins for that to appear, but it will appear

Enjoy!

Please note that I DID NOT write this fragment and DO NOT know what it does or how it works, it was written by a freind of a freind, who I do not know.

All I know is that it works

Cyrus Bharda

[Bill Pflaumer]

Cyrus

I would also be interested in your fragment. A while back, I download the PAM Authentication from www.e-smith.dnydns.com and it works great in concert with DansGuardian 2.6.0. I do have one question Cyrus, If a user authenticates to the proxy, they get onto the Interent, Great, but while on the Internet and authenticated, if they open thier email which may contain HTML code within the body of the message, the username/password dialog box pops up again. Any Ideas ??

Thanks
Bill

[Bill Pflaumer]

Calin
The URL that Cryus mentioned may be down so try http://linux06.chez.tiscali.fr/ (mirror site) and the filename he suggested to install is sme-squid-xxx.rpm. Another great rpm to download is Squid Report Generator call sme-sarg-xxx.rpm

Good luck and report back your findings !!

Bill

[Cyrus Bharda]

Bill,

I cannot comment on Dan's guardian because I do not use it, but with the proxy-auth I use any attempt to access http/ftp links will require authorisation, wether from IP or username/password that I have setup.

Sorry,

Cyrus Bharda

[Bill Pflaumer]

Cyrus,
DansGuardian is by far the best Internet Content filter I came across . I have kids so with PAM and DansGuardian you can set it up so 'the kids' authenticate to squid and are filtered by DansGuardian (no porn, ads ,gambling etc) but if you authenticate as say 'DAD'  (same PC) you are unfiltered ( go where you wish). I love it. Anyone need help will this just e-mail forum or me

I will be writing an article on my website soon of my experiences and howto.

Don't mean to be a pest but that template of yours sounds great and I will add it to my howto with your permission, so please email it to me at billy@hnisecure.com.

Thanks
Bill

[Cyrus Bharda]

Bill,

I do the same, except I use squidGuard to filter out bad websites porn/violence/etc/etc and just enter in ip's that are immune to it's filtering, and then use Vincent's squid auth for authentication.

The only bit that Dan's guardian is better than suiqGuard is that it looks that sites being loaded and blocks dynamically, where squidGuard does not, but then again, those who want to get around it will eventually figure it out, there is a lot of porn that is not blocked by Dan's guardian and squidGuard, but Dan's guardian will do a better job, theroretically.

I just use squidGuard + Vincent's squid-auth because with the addition of the template fragment for Vincent's rpm, you can specify IP's that do not need authorisation to get access.

I have no experience with Dan's guardian, and do not expect to, as I am totally happy with what squidGuard does, which does not mean that it is better in any way shape or form than Dan's guardian, I just like it and it does the job. I guess in my case it is a matter of if it aint broke, dont fix it.

I do not know if the fragent will work for users who have implemented Dan's guardian as it affects Vincent's rpm and how it works, but you are more than welcome to try

It is now up:

http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/squid-auth/

There is both the fragment and Vincent's rpm.

Enjoy!

Cyrus Bharda

[calvin]

here is another solution :

http://forums.contribs.org/index.php?topic=15015.msg57590#msg57590