I want to block one user from Internet from 8-5

[phishyman2]

I figured this would be easy but I guess you can't learn rocket science in a day.

I want to block one user from the internet from 8-12 and 1-5. Nothing else. Nothing fancy here (I thought). I have searched the forums and can't seem to find any examples that match this simple criteria.

I go to the Policy Wizard and am faced with an ass load of questions I have no idea the answers to. For example:

Which protocol do I use?
What interface?
If I specify a user, do I even need to bother with the IP address?
Where in the policy am I even choosing to allow or block? Does it just randomly choose or read my mind?
Why do I need multiple racks?

Please do not point me to the wiki Policy Manager article. It does not help.

[gotkimchi]

First create another rack. Then create a policy. Only thing you would need to change is the client address (IP address of the user), time, and then on the bottom, the rack.

If you are using the directory connector, you would need to change the users and not the client address.

[gotkimchi]

Since you are doing the split in time, you would need to create multiple policies.

[Mathiau]

Policy Manager.

HTTP is TCP port 80, possibly 8080 and port 443 for HTTPS

interface should be internal for clients since they connect through the internal side.

did you read about Policy Manager in the Wiki, it has an example which is almost identical to what you want do do.

http://wiki.untangle.com/index.php/Policy_Manager

[phishyman2]

Why would I need to create another rack? Does a rack need to be created for every policy? This multiple rack thing makes no sense to me.

[Big D]

How much of the internet do you wanta block.

Web traffic, torrent, MMOs, online poker, RDP, smtp, POP, aol messenger.

To what degree do you want to restrict this one user?
He will need a static IP or implement the ad connector scripts on him or your organization.
You could do this with a packet filter rule, bypass rule, or firewall as well if you didn't want multiple racks. Using policy manager to point at a second rack would just be a little easier and less likely to affect everyone except the person you want it to apply to.

If you wanted to go crazy you could throw down the firewall and block all traffic to the external interface and all traffic comming from the external interface. This would completely lock him down to the local network.

By having multiple racks you can have unique rules that can apply to some users while not others. IE for a school environment teachers would inherently have less restrictions than the student counterparts.

[dmorris]

Why would I need to create another rack? Does a rack need to be created for every policy? This multiple rack thing makes no sense to me.

Most users have one rack/policy that covers there whole network.
You can create another rack/policy with totally separate apps and configurations and then create rules to map part of your traffic to this second rack.

You need to create a rock that blocks all traffic (a simple firewall with default block will do fine) and then map that user/IP to that 'block rack' from 8-5 on any given day with a policy rule.

[phishyman2]

"By having multiple racks you can have unique rules that can apply to some users while not others. IE for a school environment teachers would inherently have less restrictions than the student counterparts."

Why can't you create multiple rules in the default rack for certain individuals?

For example, why can't I create different policy rules for different types of users. In the wizard for creating a policy, it allows me to choose users that the policy is going to apply to. If I can do that, why create another rack. Am I making any sense at all? In other words, can't everything be handles with one rack.

[phishyman2]

One more thing. There is nothing in the policy wizard defining if it is an Allow or Deny for internet service. Am I to assume when I pick TCP, port80, Client: Internal, from 8:00 to 12:00, Monday through Friday, for user Jyarbrough that is is denying internet.

[gotkimchi]

its not the policy, its the apps in the rack that dictates the allow or deny.
The policy manager is to tell untangle what IPs or users belong to which rack.