| 1 |
>>> |
| 2 |
>> |
| 3 |
>> I think you would do well to setup a squid proxy and block outbound |
| 4 |
>> traffic for the affected machines. We've had great success with squid |
| 5 |
>> in our environment. This gives you a tremendous amount of flexibility |
| 6 |
>> on your access control, and it means you don't have to be concerned |
| 7 |
>> about which transport methods are used when updating/installing. |
| 8 |
>> Added bonus is that the squid caches your Gentoo download objects. |
| 9 |
> |
| 10 |
> Is that tough to set up? I would think an iptables solution would be |
| 11 |
> easier, but maybe that won't work out. |
| 12 |
> |
| 13 |
|
| 14 |
Well, you'll end up using iptables anyway right? If you really want |
| 15 |
to -force- folks to get out through a proxy, that is. Since you |
| 16 |
mention that the router is a gentoo box, should be an easy one. |
| 17 |
|
| 18 |
Tough to setup Squid? Naw. Of course, it's like most things, we don't |
| 19 |
know much about your network or the scope of your requirements. For |
| 20 |
our use case, we needed the following: |
| 21 |
|
| 22 |
-forced access through the proxy |
| 23 |
-website URL blacklisting and custom redirection based on massive regex lists |
| 24 |
--Automated notification on certain 'violations' |
| 25 |
-user account login to the proxy before internet access |
| 26 |
-username tied to all proxy logs |
| 27 |
-'manager' access to log data via nifty graphs on a web server |
| 28 |
|
| 29 |
So, ours took some time. :) |
| 30 |
|
| 31 |
Ya, I know these folks were uuber paranoid, and wanted the ability to |
| 32 |
nab folks for what they felt like was inappropriate internet usage... |
| 33 |
Anyway your situation sounds much simpler. So simple in fact that |
| 34 |
just a few tweaks to the default squid.conf can provide you with a |
| 35 |
functional config. |
| 36 |
|
| 37 |
There are heaps of doco out there on configuring Squid, so you should |
| 38 |
have a look and see what you think. You can easily get a little test |
| 39 |
proxy going on a desktop or laptop to try it out. :-) |
| 40 |
|
| 41 |
Hope this helps! |
| 42 |
|
| 43 |
-- |
| 44 |
Matt |
Archives