I have a few PCs that I want to limit their Internet access to nothing more than Windows updates and AV updates. All other Internet access I want blocked but I want to preserve LAN access via TCP/IP. Is there an easy solution for this like a proxy software that I can place on a server somewhere so that I do not need to configure each PC? I was thinking about setting the gateway on these PCs (via the DHCP reservation) to the IP address of the server with this software and setting up various access rules on this server as necessary. This is for a MS Windows environment but I could build and use a Linux box if necessary. Please reply to the group, e-mail addy is not valid. TIA.
Restrict outgoing http traffic on the packet-filter in a way that only the Proxy-box is allowed to. Create ACL's on the proxy according to your needs. Whitelisting is a good idea for your scenario because managing a long blacklist on the proxy reguires much more effort. Besides squid you might also consider using squidguard which extends the filtering possibilities of squid.
Of course the proxy might be placed on a third NIC of the packet-filter but in this case you must not NAT from the LAN to the DMZ if you want to use ACL's on the proxy based on the source IP. Besides source IP there are other possibilities to create ACL's when using squid like username/password authentification.
You will to have two proxy servers, like I have on my network. One is unrestricted, and is filterd, and does not require authentication, and the other, requiring authentication, is unfiltered. That way, those users authorized for unfiltered access can log on to the unfiltered proxy. You just need to run two proxy programs on a PC running something like AllegroSurf. Then you just set up your proxies. ProxyPro is good for this, as it supports authentication, and then you use another filtered system, such as CyBlock, for the filtered proxy.
What you want to do cannot be achieved through a firewall appliance, you will need something with a little more muscle.
Incorrect. With any Fortigate firewall appliance, I can filter by category and create entirely different profiles to be applied to different sets of IP's. No changes whatsoever are required on any of the machines, you simply add them individually or via subnet masks to create groups which are applied to the policies.
In the case of only wanting a very few addresses to be possible, rather than only a few categories, I would simply create a set of whitelisted addresses and/or top level domains, and enable that feature for the address groups in question, leaving the others unfiltered. Or, I might still choose to block p*rn and adware for the rest of the unfiltered PCs just for good measure. You could add authentication to any of these policies if you choose, and when the new firmware for these boxes comes out in a few weeks, it will even use active directory groups to authenticate policies, and can even be configured to allow an override to the category block with proper credentials, allowing an admin to get to a different page for a special download even on a filtered machine, for example. And it can all be logged.
The nice thing with this setup is that you can control it all centrally from the appliance (via a browser); adding or removing pc's from each group, or modifying the policies for each group as needed, without touching the PC's. Not to mention you can enable intrustion prevention, Antivirus, SPAM filtering, and VPNs on the firewall if you are interested in those also.
Thr problem is that most NAT Software, Hardware appliances, etc, use dynamic addressing, via DHCP, so setting rules by address would not work very well. Its the way that DHCP works. This was all part of the networking course I had in college, back in 1999.
Showing your limited scope of knowledge again Charles.
Reservations - look them up, allow you to enter a MAC address and have the DHCP service re-issue the same IP to the same node each time.
Additionally, a fixed IP would also allow rules based on IP for filtering.
So, as with my WatchGuard Firewall and Web Blocker service, I can set all Dynamic IP devices to be on a filtered connection and then a specific range of fixed IP's to be on an unfiltered connection through the firewall - heck, I can even authenticate with the firewall from any "Filtered" location and due to a "User" rule I can even bypass the Filtering at a filtered location.
You really need to learn more about networking Charles.
But you are talking about very expensive stuff that only very large ISPs can afford to use. Your typical garden varity NAt software or harware appliance, that you mgiht find in your home or office, is not going to have this. Only the largest of corporations can afford systems sophisticated enough for DHCP reservation.
No, that's asking to much for Charles to learn ANYTHING beyond what was taught in his single networking class.
Talk to your experts at CompUSA - DHCP reservations have been an available part of most DHCP servers from the beginning, including very specifically the _free_ versions that come with *BSDs or Linux. It's been part of the DHCP specification since 1993 (see page 2 of RFC1541 dated October 1993), and the ISC server found on many UNIX have had that capability even longer.
Seriously Charles, have you ever looked -- in this decade, anyway? The last few times I was helping some guy out with his $49 linksys or d-link router, or even the freebee router from Comcast, The DHCP server had reservation capabilities, which is how I implemented the port forwarded server that they were asking for help with. DHCP reservation is garden variety, dull, simple networking. I think at some point some place I have seen a DHCP server without reservation capability, but I can't remember for sure.
"Only the largest of corporations can afford..." really it's quite funny. About the only thing that's left in the space that "only the largest of corporations" can afford is sophisticated application firewalls like
or sophisticated access control devices like
and devices in the SOHO to medium office space are peeling back those functionalities every day, as is the open source community. Individual systems that used to cost thousands or tens of thousands are now bundled up on boxes starting under $1000, or can be assembled out of various bits of open source if you have the time and the skills.