Oh yeah, and calamaris for parsing the resulting squid logfiles :)
On Wed, 2004-07-21 at 16:34, charlie wrote: > Hi, > > Have you looked into using iptables + squid + squidguard for transparent > proxying, content filtering and access control? > This combination is very effective and extremely flexible. You can limit > access by time, source ip, destination url/ip etc. > > Check out www.squidguard.org > > Hope this helps.. > > regards > charlie > > On Wed, 2004-07-21 at 14:34, Daniel Pittman wrote: > > On 21 Jul 2004, Santos wrote: > > > Chuck Swiger wrote: > > >> On Jul 18, 2004, at 2:41 AM, Santos wrote: > > > > [...] > > > > >> The second concern is a matter of policy: why do you want your > > >> firewall to treat users differently? If it's a bad idea for person A > > >> to do some type of network connection, why should it be OK for person > > >> B to do so? If you restrict things so that only the services which > > >> you trust all users to do are permitted, your security is likely to be > > >> much improved compared to a policy based on an ever-growing pile of > > >> per-user rules and exceptions. > > > > > > Because the people that contracted me wanted so :) > > > > That was my presumption when I read this thread; it isn't a techies > > idea, generally. > > > > > Some people should be working on other stuff instead of traveling on > > > the web. > > > > >From my years of experience, I would advise that you go back to your > > client and suggest to them, gently but firmly, that trying to apply a > > technical solution to a social problem is seldom effective. > > > > > > Before I go into detail there, though, do you actually need the > > 'hotseat' functionality that you are looking for, or would it be enough > > to put the "unprivileged" users in a fixed IP range with DHCP, and then > > firewall that more strongly? > > > > > > Anyway, back to the reasons why solving the abuse problem through > > firewall restrictions is a poor idea: > > > > The biggest reason is that drawing this distinction between users is a > > great way to encourage resentment and unhappiness among staff. > > > > By drawing that line your clients are saying "these people are important > > enough to flout the rules, those people are not" -- because having some > > staff able to surf the web at leisure implies precisely that. > > > > > > The other big reason is that the analysis that reaches the conclusion > > that some staff are abusing the Internet access is often flawed[1] in my > > experience. > > > > When I have been asked to implement this, which has happened at a number > > of places, it usually turns out that access to the Internet is a > > critical part of the day to day operation of that part of the > > organization. > > > > The most common requirements are data verification and queries about > > addressing, phone numbers and postage data -- and these are not things > > that the management are usually aware are required as part of the job. > > > > > > Finally, once you start telling people that they are going to do the > > wrong thing -- which this technical rules does tell them -- they are > > less likely to want to do the right thing in other areas. > > > > > > A more concrete and effective way of curbing the abuse of Internet > > access is to announce, *very* publicly, that Internet use will be > > monitored, and randomly sampled for compliance to policy. > > > > Then, give it two weeks and implement that: pick a half hour chunk of > > Squid logs *outside* of lunch breaks, and find out which of the staff > > are silly enough to still abuse their access. > > > > That requires minimal technical input, does not lead to any "unfair" > > rules at a technical level[2], and gives people the feeling that > > management and the technical staff expect them to do the right thing, > > not the wrong thing. > > > > > > So, in summary: there are probably much better ways of doing this. > > > > Daniel > > > > > > Footnotes: > > [1] Well, actually, uniformly incorrect, and reflective of a poor > > understanding of what is actually done by staff, but I still > > hesitate to make it an absolute statement. > > > > [2] This is extremely important if you don't want to find that all the > > staff hate you for implementing (or colluding with) this unfair > > system.[3] > > > > [3] ...and, yes, the "random sample" thing is the same technical > > effect, but perceived quite differently as a general rule -- not > > least of which is because it can be checked by a more clever > > human, not a blind and uncaring machine. > > -- > > Any attempt to curb user abuse will only result in more expensive abuse. > > -- Garret Boer > -- > ============================ > Charles Kidson > Systems Administrator > General Pants Group > [EMAIL PROTECTED] > ph 02 9290 0813 > fx 02 9299 6485 > mb 0428 61 7766 > ============================ -- ============================ Charles Kidson Systems Administrator General Pants Group [EMAIL PROTECTED] ph 02 9290 0813 fx 02 9299 6485 mb 0428 61 7766 ============================
