From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 08:51:03 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4827C106566B for ; Wed, 11 Apr 2012 08:51:03 +0000 (UTC) (envelope-from terrence@mediamonks.net) Received: from mail.mediamonks.net (mail.mediamonks.net [217.195.117.200]) by mx1.freebsd.org (Postfix) with ESMTP id 792658FC19 for ; Wed, 11 Apr 2012 08:51:02 +0000 (UTC) X-CGP-Sophos: Scanned and found clean X-Abuse-Info: Send abuse reports about this email to abuse@mediamonks.net Received: from [46.44.172.93] (account terrence@mediamonks.com) by mail.mediamonks.net (CommuniGate Pro IMAP 5.4.2) with XMIT id 8633404; Wed, 11 Apr 2012 10:51:01 +0200 Date: Wed, 11 Apr 2012 10:50:59 +0200 Organization: MediaMonks B.V. Message-Id: <7515505cb4e9104bbe3574db313a173a@mediamonks.com> In-Reply-To: <3416873322-176955401@intranet.com.mx> Thread-Topic: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny? Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: Ac0XwDdxKHNrWP57Sb2kR3azgYDI5Q== From: "Terrence Koeman" To: "Jorge Biquez" X-MAPI-Message-Class: IPM.Note.SMIME.MultipartSigned X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.6/1.54.0.6 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0030_01CD17D0.FB1BEC40" Cc: "freebsd-questions@freebsd.org" Subject: RE: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 08:51:03 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0030_01CD17D0.FB1BEC40 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, 10 Apr 2012 at 05:27:24, Jorge Biquez wrote: > Hello all. > > I am sorry if this is kind OFF Topic. I am looking for help from more > experienced people in these areas. Please let me know if this > question should be moved to FREEBSD-CHAT list. > > As I have mentioned before I am helping a school , non profit with > their IT issues. As always there are some "experts" that controls > everything and do not let you change anything because is their > kingdom. Anyway, there we have Internet service from a cable company > and they have some cisco routers to receive the access and from there > some Cisco Switches. > In the classrooms we have very old PCs running XP. In some of my > classes I am using Freebsd and Ubuntu running on a USB. So each > student have one USB and they work that way booting from their 4GB > USB stick. (it is slow but it has worked until now). > > One of the managers asked me for help to block some web sites were > some students in the other lab and people that helps there waste > bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and > spend lot of time on facebook also. Our bandwidth is only 4Mb and you > understand that with a few that are seeing movies and videos the rest > of us can not work at all. Thing is that "other manager" (you know > how those things are sometimes) do not want us to do that since his > "guru" and expert is the one that controls all the Network. So the > best we could get until now is that we can do "all we can" without > touching the Cisco routers and until now not administrative password > for change anything on the PCs (that could change one we prove that > we can have the solution and show it to the board of people that runs > the place). > > The Internet provider gives the DNS servers to use and one of the > routers gives the DHCP service. > > First thing I thought was to change the DNS servers and use the one > from my small office (running Freebsd 7.3) using Bind there and > simply block there pointing the sites to nothing in the Apache > configuration. It does not work. Once changed the DNS values the PC > does not resolve anything. It was a quick test but that does not > work. Not sure if Internet provider is blocking in some way that we > can not use other DNS server but theirs. > > Other solution I was thinking while coming home was to convert one > machine there to a freebsd server and use it as a router (if they let > me) so that way I can control from there and do filtering. Issue is > that maybe they do not let me but connect the server as an extra > machine without replacing the main router so in that case I would > have 2 DHCP servers doing the same service in the same lan and could > be conflicts I guess. > > Another solution a friend suggested was to buy one small router (from my > money for sure) and let that small router to receive the internet (RJ45) > and from that with the small 4 port switch included to provide the > internet to the switches to feed the labs , library and administrative > offices. I have never use one of those and I am short on money so I > would like to explore other alternatives before if possible. > > Finally another solution would be to install in each PC a kind of > Nanny software but only if free, otherwise is not a solution (I do > not know of any yet but will do searching the following hours). > > I know all can be solved if the "guru-expert" guy would let me have > passwords from PC's, router, etc but that won't be an option since > they think we would try to take the control of those services (we do > not want that) so the burocracy could be a problem there. He have > told them that to block is not possible (they have been working that > way for years). > > So, in this kind of schema. Do you think FreeBSD (even linux) could > be of help if we do not have access to routers, switches and can not > install new software on the PCs( the ones running XP)? > > Any comments you have that could help me to solve this challenge? You could ask the "guru-expert" guy to implement traffic shaping like weighted fair queuing and prioritizing SYN's etc. That way people can watch all the videos they want without it affecting the work of others. You can also implement it yourself transparently with a FreeBSD box with two adapters bridged and something like ipfw+dummynet, you'd just need to insert it somewhere in the route (before any masquerading is performed though). -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ------=_NextPart_000_0030_01CD17D0.FB1BEC40 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIAjCCA8ow ggKyoAMCAQICEEUuM5TRXSsqy2M6PXNSZ3kwDQYJKoZIhvcNAQEFBQAwgYIxCzAJBgNVBAYTAlVT MR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5 IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTExMDcxNjE0MDEyOVoXDTEyMDcxNjE1MTY1N1owdzEgMB4GA1UEAxQXdGVycmVuY2VA bWVkaWFtb25rcy5uZXQxDjAMBgNVBAgTBXNtaW1lMQswCQYDVQQGEwJVUzEmMCQGCSqGSIb3DQEJ ARYXdGVycmVuY2VAbWVkaWFtb25rcy5uZXQxDjAMBgNVBAoTBXNtaW1lMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQChRrpOuDewU94nfT8orYLjRRWCXIpT5sBcc2/xSaI00SPo6HK/G33JNyFS 1yZT/oiCZvF9EsD9cF14+ymWpoZ+14BSHJ9SD5rldKRQ7ETHEifLnM64oCp8Mh8HjzO/AvycbONu hC/iS380VIZqddDZych9+IMtNRMO4nSBFMQ35QIDAQABo4HJMIHGMAkGA1UdEwQCMAAwHQYDVR0O BBYEFDWoOhnIHkcHhg0ftxrYRqHL7x0xMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD BDA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnNlY3VyZXRydXN0LmNvbS9YR0NBLmNybDBC BgNVHSAEOzA5MDcGCmCGSAGG/WQCAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3NzbC50cnVzdHdh dmUuY29tL0NBMA0GCSqGSIb3DQEBBQUAA4IBAQCM74qzG599TkL+P5DKV9+ZnN1QzKEXSV4DEC+m dRgBfPLKFZ3eyJoqVyfZIZswXMtvR4lZB7wGG9QDn+AZDjdJqJ84DNMma+MiifSP2unYI7pqV/5/ 972/C8pvjLbiNSsMWmNMJKKfMAIEU+nLiNGfqlOj1Pz5WEz5ljgLRmivLWDAv3w/vcc9mCxTXbR1 TPhSA8UrNhlQLwy9L5dl408ILyVT4VblPbT/6TQn9pRlqtAiwkORnpadC4cH0uwK+NGnN9yarSJC 9SHPRujqNvMX61ojgXEOGhY1lyL7z2S4Jc6912Ezb9TbCT8MYlZ2ILKDwt+cpjhhONtWt35w7jDr MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc /Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz 8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbwxggOxMIID rQIBATCBlzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9i YWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwCQYFKw4DAhoFAKCC Am8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwNDExMDg1MDU5 WjAjBgkqhkiG9w0BCQQxFgQU1zzHvnLVb5pgUITcAmu8kcBj0hswgagGCSsGAQQBgjcQBDGBmjCB lzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UE ChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwgaoGCyqGSIb3DQEJEAILMYGa oIGXMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYD VQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIQRS4zlNFdKyrLYzo9c1JneTCBtwYJKoZIhvcNAQkPMYGp MIGmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4G CCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUr DgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTAN BgkqhkiG9w0BAQEFAASBgA3CUyCdReEBR3fgfIh/i2r7DMkwwzgydwjcpDqtYUK+9bDzW7nP/Z6f NIbthdpTXKIEhjLBi7PHgZOC5619c564KxHHjaqc+MzWFZ3pAFYP6e54OWraebIY9SXGH04YDZcR /M87H4vZ7m9hCn6A28xq4lA+USmE7J7eSocXLYyKAAAAAAAA ------=_NextPart_000_0030_01CD17D0.FB1BEC40--