On Sat, Mar 13, 1999 at 11:23:09AM -0500, Michael G. Schabert wrote:
> Hi guys,
> I have a (hopefully) quickie question regarding IP-NAT. Is it possible to
> make the other machines authenticate before allowing them to use the 'Net?
> I ask because I'd prefer to drop my employer's WinNT server (IIS) which is
> currently set up with the web proxy, so that when you wish to access a
> remote site, it'll pop up an authentication box for username/passwd. The
> district logs the users & the sites they visit, but I'm not as concerned
> with that as I am with just not allowing unauthorized users to access the
> 'Net (elementary school). So, would I have to actually run a proxy, or can
> I do it with some funky incantation over IP-NAT? If a proxy, what's
> available, & what's good? One final...about how many machines could I
> expect a Q700 to be able to do NAT for at once (on a cable "modem"
> connection)? I just hate the crap with the proxy where I would have to
> manually set up any services other than web, gopher, ftp. Since we're
> primarily Mac, my options are limited to the socks proxy in addition to the
> web proxy, whereas if we were WinTel, the WinSock proxy would be
> nice-n-easy.

Well first, I would recommend checking the ipfilter home page (which ipnat
is based on) at http://coombs.anu.edu.au/ipfilter/ for more info about what
it can do. It can definitely do logging, but I don't know about the
password authentication thingy. 

The second thing you might want to check out is DeleGate, a multipurpose
proxy and firewall. It has many many many options and switches, but
the documentation is a little weak (the author's first language is not
english, so I cut him some slack). I was able to get it to build and
install on NetBSD, but didn't play with it much beyond that (my need for it
suddenly dried up after I had built it). The home page is at
http://wall.etl.go.jp/delegate/ Ftp download at
ftp://ftp.etl.go.jp/pub/DeleGate/ .

And the third thing you might want to check out is squid, which is a http
proxy. It has many access control features, some of which might do what you
want. Home page at http://squid.nlanr.net/

And finally, apache's mod_proxy follows the same access control features
that the rest of the access.conf file follows, so you could (almost)
definitely set up password protection. Check
http://www.apache.org/docs/mod/mod_proxy.html for more info about that
module.

Sorry to flood you with so much info, I hope some of it proves useful...

-- 
Chris Brown -- Macintosh networking/Web development
<chrsbrwn@mindspring.com> <http://www.mindspring.com/~chrsbrwn>
This message was sent from a IIci running NetBSD-Mac68k