Daniel Pittman wrote:
On 21 Jul 2004, charlie wrote:On Wed, 2004-07-21 at 14:34, Daniel Pittman wrote:On 21 Jul 2004, Santos wrote:Chuck Swiger wrote:On Jul 18, 2004, at 2:41 AM, Santos wrote:[...]Because the people that contracted me wanted so :)The second concern is a matter of policy: why do you want your firewall to treat users differently? If it's a bad idea for person A to do some type of network connection, why should it be OK for person B to do so? If you restrict things so that only the services which you trust all users to do are permitted, your security is likely to be much improved compared to a policy based on an ever-growing pile of per-user rules and exceptions.That was my presumption when I read this thread; it isn't a techies idea, generally.Some people should be working on other stuff instead of traveling on the web.From my years of experience, I would advise that you go back to yourclient and suggest to them, gently but firmly, that trying to apply a technical solution to a social problem is seldom effective.
Well this was one of the main concerns the client talked about, as it it is now, everyone can access everything, and the client doesn't like it. Not that the client wants to implement a china firewall/restrictions or something it's just that the client doesn't want people to access files and resources they shouldn't be accessing. And let me disagree a little with you, sometimes applying a techical solution to a social problem works much more than seldomly, you just can't say to all script-kiddies, "Please don't hack my Samba and Sendmail machines , k? Thanks!" :) So you have to put a firewall there. But if you were talking about the social problems inside the network and not the big bad internet, you may be right.
Have you looked into using iptables + squid + squidguard for transparent proxying, content filtering and access control? This combination is very effective and extremely flexible. You can limit access by time, source ip, destination url/ip etc. Check out www.squidguard.orgNow, thank you for posting that. My argument is not that technical solutions to the problem of per-user restrictions are impossible, just that they are a bad idea. :) That said, squidguard seems to be one of the best of the options out there for dealing with this sort of thing. Regards, Daniel
Thanks all for the suggestions. I'll be using iptables and squid.P.S.- I'm new to this list, and... shouldn't the reply be addressed to the mailing list instead of the person who sent the message?
Santos