I'm currently trailing Diladele 8.7. I have a requirement to deploy a web proxy which blocks all web requests by default, and then allows certain domains to certain machines.
I started looking at this the tail end of last year, but ran out of time. I seem to recall receiving some advice to look at the Locked policy. I've compared that the default policy and spotted the "Block specific request URLs." is set to ".*", which makes perfect sense.. so I've copied that to my Default policy and it's having the desired effect.
- Set the member of a IP address of my test machine
- Added a a handful of test domains to Exclusions -> Domain Names.
The test machine could get to the test domains, but it could also get to all websites (with the exception of pornographic ones)
I updated the Test Machine Policy, setting "Block specific request URLs." is set to ".*". This had the desired effect of blocking all sites, bar the test domains. So far, so good.
Lastly, I created another policy called Update Server Policy and
- Set the member of IP Subnet(s), and added the class B the test machine was in (172.16.0.0/16)
- Added a a handful of update server domains (e.g. deb.debian.org and archive.ubuntu.com) to Exclusions -> Domain Names.
- Set "Block specific request URLs." to ".*"
The test machine could get to the update server domains listed in the last policy created, but was denied access to handful of test domains in the first policy created.
At the time Update Server Policy had a higher priority (3) than Test Machine Policy (2).
When I switched the priorities (Update Server Policy to 2, and Test Machine Policy to 3), the situation reversed... the test machine could get to the handful of test domains but not the update server domains.
This leads me to think policies are evaluated from top to bottom (highest number first) and the first policy which matches the request processes the request and no further policies are considered, which makes sense. This would however mean I'd need to add my update server domains to EVERY policy I create. While that's doable, it could prove painful if I need to add a domain to it at a later stage. I foresee us having 30+ policies.
Is there a better way for implementing what I'm trying to do? Ultimately, I'm after something akin to the following hierarchy
- All devices on the network allowed access to all the Debian and Ubuntu update servers (for example)
- Some devices to be able to access some specific websites.
- All over requests to be blocked.
Any help gratefully received!
Thanks
Steve