From owner-freebsd-questions@FreeBSD.ORG Tue Apr 10 17:42:24 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2896E1065670 for ; Tue, 10 Apr 2012 17:42:24 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id B38A18FC0C for ; Tue, 10 Apr 2012 17:42:23 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id q3AHhWbi002578; Tue, 10 Apr 2012 12:43:32 -0500 (CDT) Date: Tue, 10 Apr 2012 12:43:32 -0500 (CDT) From: Robert Bonomi Message-Id: <201204101743.q3AHhWbi002578@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, jbiquez@intranet.com.mx In-Reply-To: <3416873322-176955401@intranet.com.mx> Cc: Subject: Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2012 17:42:24 -0000 Jorge Biquez wrote: > > Hello all. > > One of the managers asked me for help to block some web sites were > some students in the other lab and people that helps there waste > bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and > spend lot of time on facebook also. Our bandwidth is only 4Mb and you > understand that with a few that are seeing movies and videos the rest > of us can not work at all. Thing is that "other manager" (you know > how those things are sometimes) do not want us to do that since his > "guru" and expert is the one that controls all the Network. So the > best we could get until now is that we can do "all we can" without > touching the Cisco routers and until now not administrative password > for change anything on the PCs (that could change one we prove that > we can have the solution and show it to the board of people that runs > the place). [.. sneck ]] > So, in this kind of schema. Do you think FreeBSD (even linux) could > be of help if we do not have access to routers, switches and can not > install new software on the PCs( the ones running XP)? > > Any comments you have that could help me to solve this challenge? This is doable -if- you can insert a, say FreeBSD, box in the network -between- the labs and the outside world, where all the traffic can be forced to go -through- that box. it would basically function as a i two-port router. This would probably require 'minor' configuration changes on the boxes on each side of the box you are adding (tweaking the 'routing' stuff, because there will be a new device/IP-address involved). IF you can get a box in that position, then 'ipfw', or 'pf', the 'firewall' utilities, will allow you to block traffic to/from selected netblocks. It will be somewhat 'maintainence' intensive, keeping the address-block list up to date -- as users find 'new and different' sources for the 'banned' content. somewhat *more* effective would be a tool that monitors 'who' each PC in the lab is connected to, -and- an indication of traffic levels or that PC. this can be accomplished by a box sitting somwehre that it can 'see' all the LAN traffic -- does -not- have to be inserted in-line like the 'filtering' box does. Something like 'tcpdump' to capture LAN traffic, piped into a (probably custom) analyzer that tracks source/dest IP addresses, packet 'data' size, and relevant data 'flags' (syn/fin mostly) can tell the lab supervisor which use they need to 'speak firmly' to. This -is- a 'people' problem, not a technology issue -- therefore, make the solution a *people*-based one.