On Sun, 12 Sep 2010 13:35:30 -0700 (PDT), devlin7 <it@xxxxxxxxxxxxxx> wrote: > Thanks I figured as much. So I need a layer 7 firewall like NUFW or Palo > Alto. > > Would a captive portal work? Squid can be considered both of the above. http_access is a kind of layer-7 firewall just for HTTP. I was about to suggest a captive portal approach, this is done with Squid by; * implementing WPAD/PAC on the network for all the software which supports it * manual configuration to use the proxy for all software sitting around the network long-term which can't do WPAD * interception of the remaining dregs. The first two are the primary access levels, they allow you to use authentication on any requests received that way. Thus assigning a much higher level of trust and wider access. The interception layer allows catching of all the broken clients and weird traffic, suitable if you can design some cut-down level of access. Assuming that the worst problem users will be coming in this way is not too far short of reality. Captive portals face a choice with this traffic whether to bounce it to a splash page explaining how to configure their browser properly or to let it through silently with a lot of extra limits. Amos
