[TriLUG] limiting Internet access with squid?

[Magnus]

Greg Brown wrote:
> Problem: I have a client with a small network at a resturant.  His computer
> is XP Home so it can't be locked and he would like to restrict Internet
> access (when he isn't there his employees are surfing the web on the office
> computer, going to myspace.com, crap like that.  Can squid be set up block
> all request on port 80 and force users to authenticate before passing them
> along?  

Things like this are trivial to work around, even for someone who isn't 
all that technical.  You don't want to block just port 80.  You need to 
block everything.

> What I'd like is for Paul to have unrestricted access to the
> Internet but his employees to be blocked from going outbound.
> 
> Is this possible with squid?  If not, do you have any other ideas?

Block all outbound traffic from the private subnet.

Only allow explicit traffic from explicit hosts.  i.e. open up ports 80 
and 443 outbound from the squid server.

Squid can require authentication to pass any traffic via it's acl 
system.  Deny all by default, but accept from authenticated user.

If you don't block anything, it would be trivial for someone to connect 
to the internet via their own proxy server or ssh account.