Solved

Selectively unrestrict and restict web access based on IP address in SquidNT config

Posted on 2008-10-09
12
823 Views
Last Modified: 2013-12-16
Background:  here's my network subnets:
#unrestricted; but need to restricts porn, weapons, etc:
192.168.5.10  -  192.168.5.191  
192.168.10.10  -  192.168.10. 100
192.168.70.10  -  192.168.70. 191
#within the above subnets need to set up the following are administrators (completely unrestricted):
192.168.5.14,  192.168.5.192,  192.168.5.128,  192.168.5.19
192.168.10.223,  192, 168.10.124,   192.168.10.
192.168.70.92,  192.168.70.111
#the following should be restricted to the whitelist only and blocklist only:
192.168.5.192 - 192.168.5.254
192.168.10.101 - 192. 168. 10. 254
192.168.70.192  -  192.168.70.254

Access to the internet is based on IP addresses only (no user, no group authentications).
How do I define the ACLs and http_access based on the above scenario?
Please help!
0
Comment
Question by:grazal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 22695085
To achieve a content based restriction, you would likely need to find a Commercial product such as http://www.securecomputing.com/ which I believe can be tied into squid.

The whitelist, blocklist I am uncertain of, but the following might be a reference:
http://www.screaming-penguin.com/node/3871
0
 
LVL 78

Expert Comment

by:arnold
ID: 22695188
Another option you might explore is using a GPO to enable/disable content filtering in IE using content adviser though the restriction might not be as fine grained to only limit a specific.
Squid can be configured to behave differently based on the user's group membership.  
0
 

Author Comment

by:grazal
ID: 22700108
So Squid can't do what I'm trying to do?  cuz this is all I need Squid to do for us.  We don't use active directory and GPO policies; stickly access to the web is by IP addresses only.

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 22702792
0
 

Author Comment

by:grazal
ID: 22742494
It looks like content filtering sofware (e.g. Dans Guardian and Squid Guards) are only available in Unix OS.  I only have the SquidNT running in Windows 2000.   We have Unix OS in our network, but I don't know my way around Linux yet (I'm a Windows person).  I know how to navigate around Windows but not in Linux/Unix, that's why I opted for SquidNT instead.

I would like to use Squid in Linux, but I don't know my way around Linux.  
0
 

Author Comment

by:grazal
ID: 22744161
What about Untangle's web/content filtering?  Does it filter based on IP address and not by user/group policies?     Will it solve my original problem?   Please help!!!
0
 
LVL 78

Expert Comment

by:arnold
ID: 22744331
You can get knoppix, ubuntu, or centos live CDs.
www.knoppix.com
www.ubuntu.net
www.centos.org

Burn the CD, boot a system with the liveCD and check it out.  They will load in graphical mode.

If you have an older unused system lying around, you can setup one of the above. The configuration of squid file is the same.  In graphical mode, you can similarly navigate with the file manager tool to the location of the configuration files.
There are several resources on the net as well as here that will guide you through the setup you want.

Unfortunately, for content filtering options in squid, you may have little choice but to try your hand in setting up squid on linux.

I think you'll do fine.
0
 
LVL 78

Expert Comment

by:arnold
ID: 22744380
I am not familiar enough with untangle.  
0
 

Author Comment

by:grazal
ID: 22744486
Does enyone else out there familiar with Untangle?  If I donwload it in Windows 2000 server.  Will it work?
0
 

Author Comment

by:grazal
ID: 22744527
And if Untangle can work in a Win 2000 server.  Can Untangle become a Web proxy server?  I want to continue using our existing CISCO PIX firewall.  I just want to redirect my web filtering to Untangle and make it a proxy server.  Is that possible?
0
 
LVL 78

Expert Comment

by:arnold
ID: 22745618
Untangle does not support wccp according to another EE question (http://www.experts-exchange.com/Networking/Network_Management/Network_Design_and_Methodology/Q_23748436.html?sfQueryTermInfo=1+untangl) which might be what you are planning to do.  I.e. configure the pix to route web traffic through the squid process via wccp+gre.
Untangle has two options. one is what you've described.  The other is to install untangle onto a system creating a security appliance that will "transparently" filter web content.

You can through DNS advertise proxy setting that will be read in if auto-discovery of proxy settings is set in the browser.
http://nscsysop.hypermart.net/setproxy.html

0
 

Author Closing Comment

by:grazal
ID: 31504726
Thanks for your help.  I'll just use Squid for URL web filtering for now; and if I will take a different step if I want to pursue the content filtering later on.  For now, I'll just concentrate on the whitelist/blacklist only.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question