Re: [squid-users] Selective Access

Rajesh K. Bahl wrote:
> Thanks but there is another constraint---- There is only one server
> running Linux and all the "client PCs" are windows Boxes.
>
> Also on top of it we need to prevent the users from "changing" their
> own IP addresses (which some "denied" users do to get access to
> internet ).
>
> What to do in such a case ?
>
>
>
> Regards
> Rajesh K. Bahl

1) Remove administrator access on the client systems so IP addresses are not changed
2) Statically assign IP addresses in two ranges. One for open access, other for virus
    update only. Either though manual IP config, or by configuring your DHCP server to
    serve the proper addresses by MAC address.
2a) (optional)) Set up port restrictions on your network switches so that only your PCs
    can get on the network (Restrict by MAC address). Need manageable switches for that.
3) ACLs in squid that match on IP ranges you set up that restrict the two classes of clients
    in any way you want.

If you are unable to remove administrator access for some reason:
1) Break the network into two halves, either through separate network switches, or VLANs if
    you have maneagable switches.
2) Run two squids, one connected to the open half of the network, other on the restricted.
    You can do this on one server either by having two network cards and binding each squid
    to the appropriate card, or by using VLAN trunking. Each squid has the appropriate restriction
    rules.
3) Physically secure your network jacks so the users don't replug themselves into the unrestricted
    network.

First option is best, but for some reason you're letting users change their IP addresses, so
there's some restrictons there we don't know about ;-)

-- 
Robert Borkowski