/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Although Masq is a good tool, for this situation it would be wiser to use
something like SQUID.
SQUID can be painlessly set up, and you can transparently have all of you
users use it without any client side configuration (Transparent Proxy). If
you check out the SQUID FAQ (http://www.squid-cache.org/Doc/FAQ/) you can
even see some example of limiting access based on the time. (acl WORKING
time MTWHF 08:30-18:00). You can specify if this will affect individual
users or the entire company. Best of all, you get logs of the user's web
access.
We had a similar problem here where users were surfing for pr0n during
office hours... the url_regex feature is nice, allowing the admin to block
any sites that match a specified regular expression. I have it set up so
that the regular expressions are contained in two files, and choose to block
the site depending on words contained in the URL.
acl BLOCK url_regex -i "/etc/squid.block"
acl NOBLOCK url_regex -i "/etc/squid.noblock"
/etc/squid.block contains any words/regular expressions that you find
objectionable. (i.e.: sex, pics, xxx, microsoft\.com etc...)
/etc/squid.noblock contains words/regular expressions that should not be
blocked - even if the URL matches something in the block file. (good
examples: education, cancer, medical, slashdot\.org etc)
It should be noted that this is not a 100% solution, but it does cut down on
the ease that the employees are able to surf to these sites. Using the logs,
you can fine tune it.
Bob.
> Setup: RedHat 6.2 running TrinityOS' *default* firewall script.
> (default meaning it has network-wide ipchains rules setup for the entire
> ip range of that network)
>
> How can I block a few machines on my internal network from accessing
> certain websites? Basically we have employees in the company that are
> abusing their surfing privileges and I've been instructed to block their
> machines. However, I don't want to place a network-wide block, just to
> those employees' machines. And this would also only have to be for web
> access to certain sites like Yahoo, Hotmail, MSN, etc. (basically,
> webbased email services).
>
> Now, ideally, I would like to set it up in such a way that the block
> only happens during office hours (8am to 6pm), and then get lifted after
> that. They're allowed to surf the net all they want, as long as they're
> not on company time. But, I don't know if that can be done.
>
> Ideas anyone?
>
> AMK4
>
> --
> W |
> | I haven't lost my mind; it's backed up on tape somewhere.
> |____________________________________________________________________
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Ashley M. Kirchner <mailto:[EMAIL PROTECTED]> . 303.442.6410 x130
> SysAdmin / Websmith . 800.441.3873 x130
> Photo Craft Laboratories, Inc. . eFax 248.671.0909
> http://www.pcraft.com . 3550 Arapahoe Ave #6
> .................. . . . . Boulder, CO 80303, USA
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
