Why don't you use an IP rule based on their DNS entry? They shouldn't be able to figure that out.
Unless they monitor this list! :) shawn "Aaron S. Joyner" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09/11/2006 08:09 PM Please respond to Triangle Linux Users Group discussion list <[email protected]> To Triangle Linux Users Group discussion list <[email protected]> cc Subject Re: [TriLUG] MAC-based web blocking Brian Henning wrote: > The reason I don't want to use IP-based rules is that our problem > users are probably resourceful enough to try resetting their IPs. > > But yeah, I was already on that track; glad to have some encouraging > suggestions. :-) > > Thanks! > ~B So I'm like 5 days late in replying to this... but do you think they're not also resourceful enough to change their MAC addresses? You could do it by switch port if you're feeling particularly script-happy (and have basic managed switches), but what keeps them from plugging into a new switch port? If you're feeling like doing it right, use a managed switch and 802.1x to lock them into a separate VLAN, from which controlling access is a simple matter of only allowing http through squid from the subnet associated with that VLAN. Anything else just helps you sleep better at night, thinking you've actually achieved some controls they can't get around. But perhaps sleep or plausible deniability is all you're really after. Aaron S. Joyner -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
