Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Steven Cooke on May 09, 2003, 07:05:30 PM
-
Hi guys
I'm sure this is a simple procedure, but no matter what I try (squid.conf) I can't restrict access to the web.
All I want to do is to allow some users access to the net, and disallow others - surely it can't be that hard.
Please could you point me in the right direction
e-smith ver 5.6 SME unsupported developers release so no blades!
Thanks
Steven
-
Steven,
I have done this 2 ways:
1. If your clients are XP/2000 professional, then you can either set a bogus gateway on that computer, or do it with a dchp reservation (if dhcp is not SME). If your users are just users, they can not change this setting in windows. If your users must use the gateway for non web services, they will be cut off unless you specify certain subnets in each systems routing table.
2. You can use squidguard on SME. See if you can enter a "." (dot) as untrusted expression..if it won't accept a ".", then enter each vowel as an untrusted expression. This should give an access denied to any web site url that has a vowel in the address. It won't block by IP address (you would have to enter each single digit number 0-9 as an untrusted expression). Any users you want to have access, use squidguard manager to allow access to their IP address. You should use static or reservations in this case.
Good Luck,
Ryan
-
hello Steven,
I am currently working on a project with a 5.6 update4 server as a 'firewall only' server and will be posting my findings soon because I need some help 'stripping' the server of unneeded features. It goes something like this, 1. 400MHz PC, 8GB IDE,2 Nic Cards (I have a cable modem). 2. Install 5.6 as gateway/private server and update to latest U4. 3. Install rpms , IPSEC VPN, Service control, port opening, port forwarding, Review DHCP, System Monitor Disk utilization, update system, DansGuardian 2.6.0 and PAM ( I will elaborate further in a later post). With the 'Services Module', I turn off unneeded services, leaving on DHCP, Transparent Proxy WEB Server and Web Proxy). 3. Install DG 2.6 along with Blacklists. 4. Install PAM (Pluggable Authentication
Modules).
I just began working on this 'project', but I findings are as follows: PAM and transparent proxy are not possible, so you need to set each browser to point to proxy server at port 8080. 2. Users can bypass PAM, if they known squid sits at port 3128.(I know iptables can help me here!!).
To use PAM and DansGuardian together goes something like this: Add 5 Users (A,B,C,D and E) to firewall server. 2. Add Users A and B to danguardians exceptionuserlist. Users A and B will still need to authenticate to PAM with thier username password that is on the firewall, but will not be restricted from any websites (unfiltered), Users C,D, and E with also need to authenticate to PAM, but will be filtered with DansGuardian which will block them from porn sites and so on.. If a user is NOT on the firewall server, then NO Internet Access at ALL. The username and passwords do not need to be the same as your internal servers username/passwords.
I need help to remove unneeded hyperlinks in the server-manager panel and tighten up this FW. I will be running vulnerability/portscans against the external interface using Nessus,ISS and GFI's system scanner.
If anyone wishes to help with this project please butt in.
Bill
-
Thanks Bill and Ryan
I figured out that what I was doing in squid.conf was actually correct, and that I have managed to block users using ACLs, I just didnt restart the squid service.
squidguard.org also look like it is a very good, highly configurable service for restricting on a much wider set of rules.
Thanks
Steven
-
How install Web Access Control ?
Richard Lopez A.
-
Richard,
Research squidguard.
-
Richard / Stephen,
There is a contrib that I use that I have setup to block/allow access via IP or username authentication, very easy to use, adds nice panel in the server-manager, and can be found in the area of conribs.org:
http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/squid-auth/
Please note this RPM IS FOR 5.5 ONLY NOT 5.6 !!
Cyrus Bharda