On Thursday 27 October 2005 07:53, James wrote: > Well, there are lot's of ways to 'skin the cat' here. > > Here's a good overview of some of the tools tools that you could use: > http://www.gentoo.org/doc/en/security/ > security-handbook.xml?part=1&chap=12#doc_chap1 > The section on Squid would apply particularly to you. > > <snip> > In this case, my policy states: > * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and > sat 8-13), but if employees are here late they should work, not surf > * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi, > .mpg, .mpeg, etc) > * We do not like banners, so they are filtered and replaced with a > transparent gif (this is where you get creative!). > * All other connections to and from the Internet are denied. > <snip> would it be possible to see an example of the squid config that does this? > > You'll most likely need a good firewall and an Aplication Level Gateway > (ALG) to get roboust control of your networks. > > On the firewall side of things, I have taken the 'painful' but superior > route to learning/testing/reading/test/reading_some_more/testing..... > to use raw ipfilter/netfilter to achieve fine grain control of networks. > > Others will recommend you use a 'canned firewall' technology, such as > shorewall, fwbuilder (etc) along with various packages that create > your ALG. > > Learning raw ipfilter/netfilter is a very time consuming process, but, > well worth the effort, in my experience. With the help of this list, > you can achieve robust control over your networks, but, it > does take time. The good thing about investing the time in a linux > setting, is once you have a network management system in place, it's > very straight forward to maintain, you do not have to spend money > or waste time on vendors, and you learn how to *TEST* what you have > to verify it works properly. Using a vendor, makes you subjectively > vulnerable to the vendor's financial goals and technical limitations. > You'll not likely be able to afford a company that has 1/10th the > security expertise, that this list offers for free. > > Regardless of the path you choose, you have to test, modify and test > your network again, with a variety of tools, to ensure robust content > control and sufficient security. > > I'll assume you want the easy, minimal_pain route to controlling your > networks, so I'll let the others pitch easy solutions, that allow > use of software package such as shorewall + squid etc. > > If you want some more links to read about raw ipfilters, just let me know. > > HTH, > James
-- John Jolet Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
