Hi Eli, thank you for your quick reply, i was also hoping if i can use the MAC address of the client pc or by user. if I use the packet filter as in your example i guess i will stick to "any" for each individual user as service. Do i still need to use the masquerading for each or perhaps the DNAT/SNAT for each individual client pc? will that be necessary? or the packet rule has enough security? Or what else you may suggest? thanks![:)]
Hi Eli, thank you for your quick reply, i was also hoping if i can use the MAC address of the client pc or by user. if I use the packet filter as in your example i guess i will stick to "any" for each individual user as service. Do i still need to use the masquerading for each or perhaps the DNAT/SNAT for each individual client pc? will that be necessary? or the packet rule has enough security? Or what else you may suggest? thanks![:)]
Since I have not been using the Astaro for long I can't answer your question regarding the Mac adress... Sorry
By adding the Ip => any you will allow the pc to acces wan, lan, ...
Depending on your network structure you can play with different services/ networks.
DNAT / Snat isn't needed since this will just forward an incomming up to a different location (right ? [:)])
We use this for website's that we are hosting on servers
E.G
Any => Wan adress .237 (Via port 15470)
Destination => Server (via port 21)
So for just access to the internet you do not have to set up this rule.
For masquarading it also depends on your network structure...
We just use
Lan => Wan
Lan => DMZ
It would indeed be good to provide more information so we can assist you in a better way.
Oh ok - I thought it had encompassing power over the HTTP proxy rules...
Yesh, we have a Web Security subscription...
I cannot for the life of me find a way to block specific machines or ip's from surfing other than eDIR group membership or GPO which are user-based mechansms.
I need to block specific devices from surfing and there is no easy way to disable IE in Windoze XP that I know of - even if I could, that would probably cause additional issues.
Currently, we use eDIR SSO for group membership to surf via HTTP proxy with Asstaro 425.
Thanks Eli, well i'm testing using the packet rule for each client pc that needs Internet access but i also tried that to work in partner with the masq rule meaning if i set host_ip=>any on the packet rule i also need to set the same host_ip=>wan on the masq rule, i disable the lan=>wan since if some restricted users places a dns server and gateway address on the tcp/ip of their machine that restricted user could have web access is that right?. Well the DNAT i think i can use that on the cameras together with its assigned TCP ports so that a mobile user can check the camera when he is in remote, is that right?[:$]
King, there are several possible solutions. The easiest is if you aren't using the 'Transparent mode skiplist' on the 'Advanced' tab. You can put the hosts in there, unclick the box for 'Allow HTTP traffic for listed hosts/nets' and make sure none of your packet filter rules allow HTTP/S.
