/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
----- Original Message -----
From: "Cota Carrasco Antonio" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, June 30, 2001 2:14 PM
Subject: [Masq] FireWall
> How can I give access to Internet to any IP but forbid the access to
> some pages.
> for exmple pages for download music, playboy, so on.
I don't think you really can. I mean you can filter out certain sites by
hand and reject connections to the IPs of those servers, you can install
special content filtering software that works through keywords, but no
matter what there will always be ways around it... and there's always
web-based proxies and all that.
>From what you have said, my suggestion would be instead of opening it up to
everyone... what you could do is filter computers by MAC Address. Each
network device has a permanent hardware address... I believe a skilled user
would be able to spoof it, but for the most part it would stay the same and
you'd most-likely be okay. I don't know exactly what you need to implement
this, but maybe someone else might be able to add more detail on that if it
sounds like a good idea. You could also set up a tight proxy server instead
of NAT -- so only services that can run over protocols the proxy supports
would work, which would stop things like Napster use [like anyone uses
Napster anymore anyway :-o]... depends how much you can tighten things
without interfering with people's work.
I think the best way to handle this would be to treat it more like a social
problem -- because no matter what you do there will be ways around most
filtering. What you could do is log where people are going (by MAC Address
as well, so you know it's really their machine) and setup strict company
policies to stop people from doing bad things. I know all this logging
would be an invasion of privacy, but if you can't trust your users and you
can't filter them for sure... you might have to do a little spying initially
just to prove to the users you mean business. I know I might get flamed for
saying this, but I really see no other clear solution (and what I suggested
really isn't a good long-term solution anyway, and I'm sure there's ways
around that by proxying and all that as well)... if someone has a better
idea please respond to the list.
Pankaj Arora
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
