Re: [fw-wiz] Firewalling at the domain users level instead of network level
On 21 Jul 2004, charlie wrote:
> On Wed, 2004-07-21 at 14:34, Daniel Pittman wrote:
>> On 21 Jul 2004, Santos wrote:
>>> Chuck Swiger wrote:
>>>> On Jul 18, 2004, at 2:41 AM, Santos wrote:
>>
>> [...]
>>
>>>> The second concern is a matter of policy: why do you want your
>>>> firewall to treat users differently? If it's a bad idea for person A
>>>> to do some type of network connection, why should it be OK for person
>>>> B to do so? If you restrict things so that only the services which
>>>> you trust all users to do are permitted, your security is likely to be
>>>> much improved compared to a policy based on an ever-growing pile of
>>>> per-user rules and exceptions.
>>>
>>> Because the people that contracted me wanted so :)
>>
>> That was my presumption when I read this thread; it isn't a techies
>> idea, generally.
>>
>>> Some people should be working on other stuff instead of traveling on
>>> the web.
>>
>>> From my years of experience, I would advise that you go back to your
>> client and suggest to them, gently but firmly, that trying to apply a
>> technical solution to a social problem is seldom effective.
>
> Have you looked into using iptables + squid + squidguard for transparent
> proxying, content filtering and access control?
> This combination is very effective and extremely flexible. You can limit
> access by time, source ip, destination url/ip etc.
>
> Check out www.squidguard.org
Now, thank you for posting that. My argument is not that technical
solutions to the problem of per-user restrictions are impossible, just
that they are a bad idea. :)
That said, squidguard seems to be one of the best of the options out
there for dealing with this sort of thing.
Regards,
Daniel
--
No sight is more provocative of awe than is the night sky.
-- Llewelyn Powys
Reply to: