From: John P. Looney (john at domain antefacto.com)
Date: Mon 11 Jun 2001 - 13:03:37 IST
On Mon, Jun 11, 2001 at 12:52:07PM +0100, Dermot Beirne mentioned:
> 1. We are switching to DHCP for IP addressing from Static. Up until now,
> we manually added each individual address to the firewall access list to
> allow someone Internet access. With DHCP this can no longer happen. I
> basically need to be able to control who has Internet access and still have
> a dynamic IP address structure. I believe I need a proxy server.
Indeed. Squid will do user-based authentication. The old host-based stuff
was a little insecure - after all, people can just change the IP's of
their machines.
What you can also do (though I'm sure it's something you thought of, and
considered it too much effort) would be to put non-net people on a
different subnet, and then setup DHCP to give the same set of IP's to that
subnet.
> 2. Local caching point will be a side benefit, as I believe it can have a
> significant beneficial effect on the bandwidth, but my primary concern is
> to control who has Internet access.
Proxy servers generally double your availible bandwitdh, and help latency
no end.
> 3. I believe that NAT or masquerading is not the answer to my problem, am I
> wrong??
You don't need it, no.
> 4. I would like the proxy to be totally transparent if possible. IP
> services required will mainly be HTTP traffic, but with the option of
> allowing FTP or other such services to certain users if required.
You can put in a redirect rule with iptables/ipchains, to redirect
requests going outbound on port 80 to Squid, and setup squid to accept
those connections as a transparent proxy. Of course, this still means that
people connecting to webservers on non-standard ports wouldn't go through
the proxy, but that's not a big deal.
> 5. The network is quite complex with multiple sites involved, but at the
> moment they are all coming through the same firewall in HQ, I believe I
> will be able to get away with one proxy, or at least, this is what I would
> like.
Indeed. Shouldn't have a problem. The more people that use it, the more
that's cached.
> 6. Uptime is a business requirement during office hours, but not as
> essential during evenings or weekends. Certain downtime is acceptable, but
> the shorter the better.
Not a problem with squid. I've never seen it crash.
> 7. At the moment there is no requirement for reporting or activity
> monitoring, but I believe that this will be a definite requirement in the
> near future, and thus I will be needing the ability to produce detailed
> logs without reinstalling a totally new product to achieve this.
It's got all the log options you want, if you get a plugin. Search for
squid on freshmeat, and the number of packages will surprise you!
Kate
--
When I say 'free', I mean 'free': free from bond, of chain or command:
to go where you will, even to Mordor, Saruman, if you desire. "
-- Gandalf, paraphrasing the choice between Free and Non-free software
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:37 GMT