On Fri, 28 Mar 2008 12:41:43 +0000 Chris G cl@isbd.net allegedly wrote:
Is this something best done through groups?
Assuming you have a router of some sort between the LAN and the internet this sounds to me like it should be done in the router's firewall setup. Certainly both of my routers would allow this to be done very easily using the Web configuration utilities.
Yes and no. (Here I'm assuming that by "accessing the net" Peter means "accessing the web").
Any decent security policy will limit outbound web connection from a lan to the internal proxy (or firewall). All clients should be configured to use that proxy, and only that proxy (just as all clients should be configured to send outbound mail to the local mail server and only that mail server is allowed to make outbound SMTP connections).
So there shouldn't need to be any change to the router ACLs, it should already default deny outbound connections from clients :-)
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
Mick
---------------------------------------------------------------------
This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see:
http://www.gnu.org/philosophy/no-word-attachments.html http://www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------