Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
At 05:27 10/04/2012, you wrote: Hello all. Thanks in advance for your time and comments. Perhaps this app may help you: http://sourceforge.net/projects/teachercp/ There are commercial apps too that do the same and more. HTH Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
On Tue, 10 Apr 2012 at 05:27:24, Jorge Biquez wrote: Hello all. I am sorry if this is kind OFF Topic. I am looking for help from more experienced people in these areas. Please let me know if this question should be moved to FREEBSD-CHAT list. As I have mentioned before I am helping a school , non profit with their IT issues. As always there are some experts that controls everything and do not let you change anything because is their kingdom. Anyway, there we have Internet service from a cable company and they have some cisco routers to receive the access and from there some Cisco Switches. In the classrooms we have very old PCs running XP. In some of my classes I am using Freebsd and Ubuntu running on a USB. So each student have one USB and they work that way booting from their 4GB USB stick. (it is slow but it has worked until now). One of the managers asked me for help to block some web sites were some students in the other lab and people that helps there waste bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of time on facebook also. Our bandwidth is only 4Mb and you understand that with a few that are seeing movies and videos the rest of us can not work at all. Thing is that other manager (you know how those things are sometimes) do not want us to do that since his guru and expert is the one that controls all the Network. So the best we could get until now is that we can do all we can without touching the Cisco routers and until now not administrative password for change anything on the PCs (that could change one we prove that we can have the solution and show it to the board of people that runs the place). The Internet provider gives the DNS servers to use and one of the routers gives the DHCP service. First thing I thought was to change the DNS servers and use the one from my small office (running Freebsd 7.3) using Bind there and simply block there pointing the sites to nothing in the Apache configuration. It does not work. Once changed the DNS values the PC does not resolve anything. It was a quick test but that does not work. Not sure if Internet provider is blocking in some way that we can not use other DNS server but theirs. Other solution I was thinking while coming home was to convert one machine there to a freebsd server and use it as a router (if they let me) so that way I can control from there and do filtering. Issue is that maybe they do not let me but connect the server as an extra machine without replacing the main router so in that case I would have 2 DHCP servers doing the same service in the same lan and could be conflicts I guess. Another solution a friend suggested was to buy one small router (from my money for sure) and let that small router to receive the internet (RJ45) and from that with the small 4 port switch included to provide the internet to the switches to feed the labs , library and administrative offices. I have never use one of those and I am short on money so I would like to explore other alternatives before if possible. Finally another solution would be to install in each PC a kind of Nanny software but only if free, otherwise is not a solution (I do not know of any yet but will do searching the following hours). I know all can be solved if the guru-expert guy would let me have passwords from PC's, router, etc but that won't be an option since they think we would try to take the control of those services (we do not want that) so the burocracy could be a problem there. He have told them that to block is not possible (they have been working that way for years). So, in this kind of schema. Do you think FreeBSD (even linux) could be of help if we do not have access to routers, switches and can not install new software on the PCs( the ones running XP)? Any comments you have that could help me to solve this challenge? You could ask the guru-expert guy to implement traffic shaping like weighted fair queuing and prioritizing SYN's etc. That way people can watch all the videos they want without it affecting the work of others. You can also implement it yourself transparently with a FreeBSD box with two adapters bridged and something like ipfw+dummynet, you'd just need to insert it somewhere in the route (before any masquerading is performed though). -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Jorge Biquez wrote: Hello all. snip In the classrooms we have very old PCs running XP. In some of my classes I am using Freebsd and Ubuntu running on a USB. So each student have one USB and they work that way booting from their 4GB USB stick. (it is slow but it has worked until now). One of the managers asked me for help to block some web sites were some students in the other lab and people that helps there waste bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of time on facebook also. Our bandwidth is only 4Mb and you understand that with a few that are seeing movies and videos the rest of us can not work at all. snip Other solution I was thinking while coming home was to convert one machine there to a freebsd server and use it as a router (if they let me) so that way I can control from there and do filtering. Issue is that maybe they do not let me but connect the server as an extra machine without replacing the main router so in that case I would have 2 DHCP servers doing the same service in the same lan and could be conflicts I guess. This method is very common. You have 2 methods here. Both methods will give you a central location to control both windows and Freebsd PC's on the local LAN as to what ip address they can access. Replace the main router with your Freebsd gateway box or just cable your main router to the Freebsd gateway box running ipfilter or pf firewall and dhcp. Then from second nic on the Freebsd gateway box to your existing switch. Configure dhcp on the Freebsd gateway box to issue ip address in the 10.0.10.0 range and specify the ip addresses of the dns servers of the ISP. Enable NAT (network address translation) function of the firewall. If you replace the main router with the Freebsd gateway box, then the Freebsd gateway box will get the public routable ip address assigned by the ISP. If you place the Freebsd gateway box down stream of the main router then it will get 192.168.x.x ip address from the main router. This is ok and will work fine. You did not say, but some ISP modems have built in routers, if that is what you are calling the main router then you can not replace it. Your Freebsd gateway box has to be down stream in this case. Here is a good resource for you to review Freebsd Install Guide at www.a1poweruser.com snip Finally another solution would be to install in each PC a kind of Nanny software but only if free, otherwise is not a solution (I do not know of any yet but will do searching the following hours). snip On each Freebsd pc blocking selected ip addresses can be done using the routed blackhole command. Example: To Add use route add -host attacker_ip 127.0.0.1 -blackhole To Delete use route delete -host attacker_ip 127.0.0.1 -blackhole To List use netstat -nr|grep 127 This is executed in the IP stack and is faster than in the firewall when you have over 20 of those special deny this IP address rules in the firewall. In your case the attacker_ip is found by using the dig command, dig www.facebook.com returns the ip address of 69.171.228.40 You can create a script (route_blackholed_ip.sh) containing route commands for all the IP address that you want to block and save it to /usr/local/etc/rc.d/ so it will be run at boot time from the USB thumb drives your students use to boot Freebsd from. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
On 10/04/2012 05:27, Jorge Biquez wrote: Hello all. I am sorry if this is kind OFF Topic. I am looking for help from more experienced people in these areas. Please let me know if this question should be moved to FREEBSD-CHAT list. As I have mentioned before I am helping a school , non profit with their IT issues. As always there are some experts that controls everything and do not let you change anything because is their kingdom. Anyway, there we have Internet service from a cable company and they have some cisco routers to receive the access and from there some Cisco Switches. They won't let you do things not because it is their kingdom, but because they certainly have a contract with prices for services and penalties for lack of services. As IT professional they want to make their lives simpler and have whoever benefits from a service pay for it. This is a logical and sane attitude to have. Now if you want to meddle with the stuff they are legally responsible for you need to prove them a few things : 1 - Nothing you do will impact them in terms of workload. You might be working for free (and it is very noble of you), but they are trying to earn their lives here. So more work for the same price is not an option. 2 - You can be trusted and you have good skills. This start by explaining fully what you want to achieve, how you will do it and (most important point) how fast anything you do can be undone. No matter what solution you choose it is likely to have side effects, especially since you have no knowledge of what is installed and how it is set-up, except what you can guess probing here and there without administrative rights. No matter how simple and innocuous you solution may seem, it might break the first rule, for example a FreeBSD Gateway might prevent patches from a WSUS server to be applied, it might prevent remote control, it might prevent alert mails to be sent or received and so on. 3 - You have to right the full documentation of what you are going to do, give all the administrative password of your solution to the experts, complete with a good deal of explanation on how to use, remove or change the system. It is also important that they know they can remove your own rights on your own solution if need be. The reason are you may not always be available and you may not always be lucid or in good terms with the school. If a problem arise they have to be able to take full control back, on way or another. 4 - You will find a way to pay them for your solution. Even if you do everything yourself, and have enough skill to do it right without them helping at any point (which is extremely unlikely), the time needed for the experts to review, test, validate and potentially maintain your solution will have to be paid. The closer the solution is to what they already know and have a staff trained for, the lighter the price. But do not expect them accept a solution that might bring them troubles but won't bring them money. The main problem you might have is that you do not seem to have any respect for the guys in charge. True I do not know your history with them, and they may not deserve respect, but as an IT manager for quite a lot of companies both large and small I can tell you one thing : We positively loathe the smart guy with a (most of the time very small) IT background that springs out of nowhere to bring simple solutions to complex problems. 99.9 % of the time they end up giving up with the job half done or they disappear just as suddenly as they appeared taking all their knowledge with them. From the director 13 years old nephew who can have the thing running in minutes (or so the director seems to think) to the junior analyst that will replace a behemoth of ETL processed files and Excel sheets with a single Access app because he has read the first three chapter of VBA for Brain Damaged last week, we see them coming from miles away and needless to say that there are no warms welcome when they finally arrive. The only way to get anywhere is to be humble and then impress the experts with your professional and exhaustive approach of the problem. Anything else will lead to the experts telling you that to achieve the result you want you will need to purchase the solution they know (probably a Checkpoint/Baracuda/Blue Coat/what else appliance) and then pay monthly for maintenance. There are literally thousands of solutions to your problem, ranging from simply installing K9 on every computer to a complex set up with QOS, LDAP/KERBEROS auth and rights delegation going to a redundant active proxy with cache and filtering. Given the small size of the lan, an old and small computer with two ethernet cards and PFSense could probably do the trick, but you will need insight from the guys in charge to be sure. Dans Guardian can offer content filtering, but will require more RAM and CPU power. Cheap commercial appliances will do
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
On 4/9/2012 10:27 PM, Jorge Biquez wrote: As always there are some experts that controls everything and do not let you change anything because is their kingdom. What do they control? The network infrastructure? One of the managers asked me for help to block some web sites were some students in the other lab and people that helps there waste bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of time on facebook also. This is a network issue. You can try to detect a client using too much bandwith for a period of time, and then throttle them. Dropping tcp packets will force throttling. Blocking websites is more effective at a firewall than a desktop. with a few that are seeing movies and videos the rest of us can not work at all. Thing is that other manager (you know how those things are sometimes) do not want us to do that since his guru and expert is the one that controls all the Network. So the best we could get until now is that we can do all we can without touching the Cisco routers and until now not administrative password for change anything on the PCs (that could change one we prove that we can have the solution and show it to the board of people that runs the place). They're asking you to fix a network problem but refuse to give you control of the network. Ask the administrators what happens if all the software you've installed is bypassed by someone bringing in a laptop, or you switch to WiFi and everyone's on a cell phone you done control. Deal with the problem at the network. The Internet provider gives the DNS servers to use and one of the routers gives the DHCP service. First thing I thought was to change the DNS servers and use the one from my small office (running Freebsd 7.3) using Bind there and simply block there pointing the sites to nothing in the Apache configuration. It does not work. Once changed the DNS values the PC does not resolve anything. It was a quick test but that does not work. Not sure if Internet provider is blocking in some way that we can not use other DNS server but theirs. Google is 8.8.8.8 and 8.8.4.4, easy enough to remember, and circumvent. Other solution I was thinking while coming home was to convert one machine there to a freebsd server and use it as a router (if they let me) so that way I can control from there and do filtering. Issue is that maybe they do not let me but connect the server as an extra machine without replacing the main router so in that case I would have 2 DHCP servers doing the same service in the same lan and could be conflicts I guess. That's affecting the network and causing a mess for no good reason. Another solution a friend suggested was to buy one small router (from my money for sure) and let that small router to receive the internet (RJ45) and from that with the small 4 port switch included to provide the internet to the switches to feed the labs , library and administrative offices. I have never use one of those and I am short on money so I would like to explore other alternatives before if possible. Adding a router won't help for the real problem. Finally another solution would be to install in each PC a kind of Nanny software but only if free, otherwise is not a solution (I do not know of any yet but will do searching the following hours). And then you have to trust the software. Some software will ban health information, such as breast cancer, but because of so many porn websites created so fast they can still allow porn. In any case, it's just a firewall. I know all can be solved if the guru-expert guy would let me have passwords from PC's, router, etc but that won't be an option since they think we would try to take the control of those services (we do not want that) so the burocracy could be a problem there. He have told them that to block is not possible (they have been working that way for years). The block is possible, but it's a network issue, the other guy. Either he does it, or you take over the network. The more centralized and built into the network it is, the more effective it is. So, in this kind of schema. Do you think FreeBSD (even linux) could be of help if we do not have access to routers, switches and can not install new software on the PCs( the ones running XP)? No. You lack the network control to control student's computer use. Any comments you have that could help me to solve this challenge? Thanks in advance for your time and comments. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Jorge Biquez jbiq...@intranet.com.mx wrote: Hello all. One of the managers asked me for help to block some web sites were some students in the other lab and people that helps there waste bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of time on facebook also. Our bandwidth is only 4Mb and you understand that with a few that are seeing movies and videos the rest of us can not work at all. Thing is that other manager (you know how those things are sometimes) do not want us to do that since his guru and expert is the one that controls all the Network. So the best we could get until now is that we can do all we can without touching the Cisco routers and until now not administrative password for change anything on the PCs (that could change one we prove that we can have the solution and show it to the board of people that runs the place). [.. sneck ]] So, in this kind of schema. Do you think FreeBSD (even linux) could be of help if we do not have access to routers, switches and can not install new software on the PCs( the ones running XP)? Any comments you have that could help me to solve this challenge? This is doable -if- you can insert a, say FreeBSD, box in the network -between- the labs and the outside world, where all the traffic can be forced to go -through- that box. it would basically function as a i two-port router. This would probably require 'minor' configuration changes on the boxes on each side of the box you are adding (tweaking the 'routing' stuff, because there will be a new device/IP-address involved). IF you can get a box in that position, then 'ipfw', or 'pf', the 'firewall' utilities, will allow you to block traffic to/from selected netblocks. It will be somewhat 'maintainence' intensive, keeping the address-block list up to date -- as users find 'new and different' sources for the 'banned' content. somewhat *more* effective would be a tool that monitors 'who' each PC in the lab is connected to, -and- an indication of traffic levels or that PC. this can be accomplished by a box sitting somwehre that it can 'see' all the LAN traffic -- does -not- have to be inserted in-line like the 'filtering' box does. Something like 'tcpdump' to capture LAN traffic, piped into a (probably custom) analyzer that tracks source/dest IP addresses, packet 'data' size, and relevant data 'flags' (syn/fin mostly) can tell the lab supervisor which use they need to 'speak firmly' to. This -is- a 'people' problem, not a technology issue -- therefore, make the solution a *people*-based one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
On Mon, 09 Apr 2012 23:21:58 -0500, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote For the interim (and as a POC), setup squid and dans guardian and point the browsers to proxy using that machine. Prove your point and then explain that this can be done transparently if you had some control of the routers. He could just do a MITM on the default gateway via ettercap. Not very ethical, but it would certainly work ^_^ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Hi, On Tuesday 10 April 2012 10:27:24 Jorge Biquez wrote: As I have mentioned before I am helping a school , non profit with non profit -- no cost? One of the managers asked me for help to block some web sites were Have you checked hosts? A rough but easy way. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
I've been in this position before. Transparent proxy running Squid and Dansguardian will solve most of your problems. And having a local cache will help fix your low bandwidth issue. Your skill level and networking knowledge will determine how achievable this is, but it's a great solution when you have it in place. Good luck! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Hello. Yes I know and we ill do our best to solve it... but if that does not work, then I still will try to solve it technically in some way if possible. Jorge Biquez At 10:42 p.m. 09/04/2012, Robert Huff wrote: Jorge Biquez writes: Any comments you have that could help me to solve this challenge? Yes. You do not have a technical problem. You have a management problem. Fix that, and the technical issues will be (comparatively) trivial. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
On 04/10/12 13:46, Jorge Biquez wrote: Hello. Yes I know and we ill do our best to solve it... but if that does not work, then I still will try to solve it technically in some way if possible. For the interim (and as a POC), setup squid and dans guardian and point the browsers to proxy using that machine. Prove your point and then explain that this can be done transparently if you had some control of the routers. All that is necessary for transparent proxy is to reroute port 80 traffic from the network to the squid server then. HTH Jorge Biquez At 10:42 p.m. 09/04/2012, Robert Huff wrote: Jorge Biquez writes: Any comments you have that could help me to solve this challenge? Yes. You do not have a technical problem. You have a management problem. Fix that, and the technical issues will be (comparatively) trivial. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org