DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd December 2008
Crypt Crypt is offline
Port Guard
 
Join Date: Aug 2008
Location: Whitby, Ontario
Posts: 36
Default Web content filtering

First off sorry if this is in the wrong forum.

The company I work for is looking for something that will block certain websites such as facebook and myspace amongst various gaming sites. I have a FreeBSd system running dansguardian with an extensive blacklist set up. I haven't yet put it into production but am thinking about it.

I know there are guys out here that are IT people for companies and just curious as to what they have used, or might use with FreeBSD to block out certain sites and what comp specs it ran on as well as how many users it controled?
Reply With Quote
  #2   (View Single Post)  
Old 3rd December 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Why not block them directly at router level?

Most larger companies lease IP ranges.. Facebook and Myspace are no exception.

Code:
NetRange: 204.15.20.0 - 204.15.23.255 
CIDR: 204.15.20.0/22 
NetName: TFBNET1

NetRange: 69.63.176.0 - 69.63.191.255 
CIDR: 69.63.176.0/20 
NetName: TFBNET2

NetRange: 204.16.32.0 - 204.16.35.255 
CIDR: 204.16.32.0/22 
NetName: MYSPA-1

NetRange: 216.178.32.0 - 216.178.47.255 
CIDR: 216.178.32.0/20 
NetName: MYSPA-2

NetRange: 63.135.80.0 - 63.135.95.255 
CIDR: 63.135.80.0/20 
NetName: MYSPA-3
That's all I can find, there might be more.. but who knows.. unfettered access can always be achieved via tunnelling or by proxy.

Kinda makes filtering rather pointless.
Reply With Quote
  #3   (View Single Post)  
Old 3rd December 2008
Crypt Crypt is offline
Port Guard
 
Join Date: Aug 2008
Location: Whitby, Ontario
Posts: 36
Default

I fured if i was going to block stuff like facebook and myspace i might as well block gaming sites and well any other site that has nothing to do with work. We have employee's abuse the internet access to much and our mechanics depend on it to be able to fix vehicles since G.M has pretty much moved everything to online access.

Having looked into some stuff I have to decide if the machine I have up and running dansguardian with a blacklist is going to be enough for the 40 to 50 users we have. The system specs are a P3 1.4Ghz with 1.5GB RAM with just over 9 GB's used on a 80GB drive
Reply With Quote
  #4   (View Single Post)  
Old 3rd December 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

With squid you can block sites/domain with acl's (Access Control Lists).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 3rd December 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

I still say filtering isn't always enough of a deterrent, informing employees about the rules and possible punishments for disobeying them (i.e: termination.).. is.
Reply With Quote
  #6   (View Single Post)  
Old 4th December 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by Crypt View Post
Having looked into some stuff I have to decide if the machine I have up and running dansguardian with a blacklist is going to be enough for the 40 to 50 users we have. The system specs are a P3 1.4Ghz with 1.5GB RAM with just over 9 GB's used on a 80GB drive
Squid and DansGuardian love RAM. The more RAM you can put into the system, the less the system will be noticed by the end-users. DansGuardian also loves CPU. The more CPU power (cores, processors, GHz) you can put into the box, the better.

For 50 users, you should be able to get away with just 1.5 GB of RAM. Personally, I'd try to get that as close to 4 GB (max on 32-bit systems) as possible. Then you can give 2 GB to Squid's memory cache, and leave the rest for DansGuardian to use.

Be sure to put in packet filtering rules that by-pass squid/dansguardian for the really important websites, like the ones the mechanics use. Unless these are static websites, you don't need to cache them.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #7   (View Single Post)  
Old 4th December 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default

I'm using opendns to filter loads of sites and then I've got squid running that is bypassing opendns for the few that doesn't need blocking like the bosses, it works pretty good.
The only problem I have with it is that you either block stuff for every one or not at all.

It would be nice of them to implement a system where you can block sites on a per host or local network manner. I do believe that it might actually happen one day.
Reply With Quote
  #8   (View Single Post)  
Old 4th December 2008
Crypt Crypt is offline
Port Guard
 
Join Date: Aug 2008
Location: Whitby, Ontario
Posts: 36
Default

I should explain the way our network is set up. GM controls the router as well as the domain controller which acts as our DNS server as well. If we set the PC's to use something other then that DNS server employees are no longer able to log into the domain or access some of the sites GM provides us to use. It won't be till about 2010 when GM relinquies control of the router in which case I will have to provide a suitable replacement for it. Till then, I have to come up with another way of filtering the sites that people go to. When I started to do this a couple years ago, and then was stopped by management, I had read about squid and dansguardian. I set it up on a system that well really isn't doing anything else and it was only going to effect a smaller amount of users. We have a total of 35 users. 12 with direct acces to PC's, the rest using dump terminals to access one of two terminal servers. I know it's sounds like a strange set up and well it is, but I have to work with what I have. I agree that once I am able to control the router or firewall I no longer will need dansguardian.


Phoenix, I'll have to look into the pcket filtering rules so that I do not stop any sites that are actually needed. Thanks for that.
Reply With Quote
  #9   (View Single Post)  
Old 5th December 2008
vorbote vorbote is offline
Vorbote
 
Join Date: Jun 2008
Posts: 2
Default

For what you describe, what you need is a filtering bridge. That's a firewall design that filters on level 2 (ethernet, token ring, whatever) and you can drop between the router and your network. No one will notice it is there until they want to browse a forbidden site.

For the lazy: pfSense makes a great filtering bridge when properly set up (and it is a matter of three clicks...).
Reply With Quote
Old 8th December 2008
Crypt Crypt is offline
Port Guard
 
Join Date: Aug 2008
Location: Whitby, Ontario
Posts: 36
Default

well so far the system has been up and running for a couple of days and the only thing people have complained abot is not being able to access certain websites. It's funny to see how many co-workers have facebook and how they are pissed they can no longer get there.
Reply With Quote
Old 8th December 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Just curious. Which system did you implement?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 9th December 2008
Crypt Crypt is offline
Port Guard
 
Join Date: Aug 2008
Location: Whitby, Ontario
Posts: 36
Default

squid with dansguardian and a blacklist set from urlblacklist
Reply With Quote
Old 13th December 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Just looking through this, out of curiosity, is there a way to block all and only "allow" specified access? Seems that would be easier and would squash or at least dampen the ability to use proxy
Reply With Quote
Old 13th December 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

DansGuardian has a blanket block feature (** in bannedsitelist), and then you list the sites you want to allow access to in the exceptiositelist.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Old 14th December 2008
Crypt Crypt is offline
Port Guard
 
Join Date: Aug 2008
Location: Whitby, Ontario
Posts: 36
Default

yup. I have a bunch of sites listed in the exceptionsitelist that people want access to. Since it was put into place I have been asked by some people to unban sites like TSN, rogers.com, facebook, myspace, a couple of gaming sites, nascar...there were a few others that i was asked to remove. I told them that if it is not work related that it wasnn't going to get done. Now, the only changes I have had to make was take the mechanics computers off the proxy since it was causing havoc with an application they need to use to program cars, so it looks like the shop won't be protected for the time being. Also had to set it up a little differently int eh parts department since the program we use to look up parts using IE and if it is set to use the proxy, it won't redirect it back to the pc where the files it needs are located.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A PF packet tagging (policy filtering) question... Quaxo OpenBSD Security 2 30th March 2009 10:47 PM
Apache: problem with rewritten content-type header Malakim General software and network 2 3rd December 2008 07:51 PM
Learning Content Management System Oko General software and network 0 31st October 2008 04:02 AM


All times are GMT. The time now is 08:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick