Rajesh K. Bahl wrote:
Thanks but there is another constraint---- There is only one server running Linux and all the "client PCs" are windows Boxes. Also on top of it we need to prevent the users from "changing" their own IP addresses (which some "denied" users do to get access to internet ). What to do in such a case ? Regards Rajesh K. Bahl
1) Remove administrator access on the client systems so IP addresses are not changed 2) Statically assign IP addresses in two ranges. One for open access, other for virus update only. Either though manual IP config, or by configuring your DHCP server to serve the proper addresses by MAC address. 2a) (optional)) Set up port restrictions on your network switches so that only your PCs can get on the network (Restrict by MAC address). Need manageable switches for that. 3) ACLs in squid that match on IP ranges you set up that restrict the two classes of clients in any way you want. If you are unable to remove administrator access for some reason: 1) Break the network into two halves, either through separate network switches, or VLANs if you have maneagable switches. 2) Run two squids, one connected to the open half of the network, other on the restricted. You can do this on one server either by having two network cards and binding each squid to the appropriate card, or by using VLAN trunking. Each squid has the appropriate restriction rules. 3) Physically secure your network jacks so the users don't replug themselves into the unrestricted network. First option is best, but for some reason you're letting users change their IP addresses, so there's some restrictons there we don't know about ;-) -- Robert Borkowski
