Heh. Yeah, except we don't currently do in-house DNS (though
eventually, if I ever have time for hobby projects like that, I would
love to set it up..)
~B
Shawn William Taylor wrote:
Why don't you use an IP rule based on their DNS entry?
They shouldn't be able to figure that out.
Unless they monitor this list!
:)
shawn
"Aaron S. Joyner" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
09/11/2006 08:09 PM
Please respond to
Triangle Linux Users Group discussion list <[email protected]>
To
Triangle Linux Users Group discussion list <[email protected]>
cc
Subject
Re: [TriLUG] MAC-based web blocking
Brian Henning wrote:
The reason I don't want to use IP-based rules is that our problem
users are probably resourceful enough to try resetting their IPs.
But yeah, I was already on that track; glad to have some encouraging
suggestions. :-)
Thanks!
~B
So I'm like 5 days late in replying to this... but do you think they're
not also resourceful enough to change their MAC addresses? You could do
it by switch port if you're feeling particularly script-happy (and have
basic managed switches), but what keeps them from plugging into a new
switch port? If you're feeling like doing it right, use a managed
switch and 802.1x to lock them into a separate VLAN, from which
controlling access is a simple matter of only allowing http through
squid from the subnet associated with that VLAN. Anything else just
helps you sleep better at night, thinking you've actually achieved some
controls they can't get around. But perhaps sleep or plausible
deniability is all you're really after.
Aaron S. Joyner
--
----------------
Brian A. Henning
strutmasters.com
336.597.2397x238
----------------
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
