Date: Tue, 10 Apr 2012 12:43:32 -0500 (CDT) From: Robert Bonomi <bonomi@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, jbiquez@intranet.com.mx Subject: Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny? Message-ID: <201204101743.q3AHhWbi002578@mail.r-bonomi.com> In-Reply-To: <3416873322-176955401@intranet.com.mx>
next in thread | previous in thread | raw e-mail | index | archive | help
Jorge Biquez <jbiquez@intranet.com.mx> wrote: > > Hello all. > > One of the managers asked me for help to block some web sites were > some students in the other lab and people that helps there waste > bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and > spend lot of time on facebook also. Our bandwidth is only 4Mb and you > understand that with a few that are seeing movies and videos the rest > of us can not work at all. Thing is that "other manager" (you know > how those things are sometimes) do not want us to do that since his > "guru" and expert is the one that controls all the Network. So the > best we could get until now is that we can do "all we can" without > touching the Cisco routers and until now not administrative password > for change anything on the PCs (that could change one we prove that > we can have the solution and show it to the board of people that runs > the place). [.. sneck ]] > So, in this kind of schema. Do you think FreeBSD (even linux) could > be of help if we do not have access to routers, switches and can not > install new software on the PCs( the ones running XP)? > > Any comments you have that could help me to solve this challenge? This is doable -if- you can insert a, say FreeBSD, box in the network -between- the labs and the outside world, where all the traffic can be forced to go -through- that box. it would basically function as a i two-port router. This would probably require 'minor' configuration changes on the boxes on each side of the box you are adding (tweaking the 'routing' stuff, because there will be a new device/IP-address involved). IF you can get a box in that position, then 'ipfw', or 'pf', the 'firewall' utilities, will allow you to block traffic to/from selected netblocks. It will be somewhat 'maintainence' intensive, keeping the address-block list up to date -- as users find 'new and different' sources for the 'banned' content. somewhat *more* effective would be a tool that monitors 'who' each PC in the lab is connected to, -and- an indication of traffic levels or that PC. this can be accomplished by a box sitting somwehre that it can 'see' all the LAN traffic -- does -not- have to be inserted in-line like the 'filtering' box does. Something like 'tcpdump' to capture LAN traffic, piped into a (probably custom) analyzer that tracks source/dest IP addresses, packet 'data' size, and relevant data 'flags' (syn/fin mostly) can tell the lab supervisor which use they need to 'speak firmly' to. This -is- a 'people' problem, not a technology issue -- therefore, make the solution a *people*-based one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204101743.q3AHhWbi002578>