Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Apr 2012 09:33:00 -0400
From:      Fbsd8 <fbsd8@a1poweruser.com>
To:        Jorge Biquez <jbiquez@intranet.com.mx>
Cc:        freebsd-questions@FreeBSD.org
Subject:   Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Message-ID:  <4F85880C.7050700@a1poweruser.com>
In-Reply-To: <3416873322-176955401@intranet.com.mx>
References:  <3416873322-176955401@intranet.com.mx>

next in thread | previous in thread | raw e-mail | index | archive | help
Jorge Biquez wrote:
> Hello all.
> 
>snip
> In the classrooms we have very old PCs running XP. In some of my classes 
> I am using Freebsd and Ubuntu running on a USB. So each student have one 
> USB and they work that way booting from their 4GB USB stick. (it is slow 
> but it has worked until now).
> 
> One of the managers asked me for help to block some web sites were some 
> students in the other lab and people that helps there waste bandwithd 
> seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of 
> time on facebook also. Our bandwidth is only 4Mb and you understand that 
> with a few that are seeing movies and videos the rest of us can not work 
> at all. 
 >
> snip
> 
> Other solution I was thinking while coming home was to convert one 
> machine there to a freebsd server and use it as a router (if they let 
> me) so that way I can control from there and do filtering. Issue is that 
> maybe they do not let me but connect the server as an extra machine 
> without replacing the main router so in that case I would have 2 DHCP 
> servers doing the same service in the same lan and could be conflicts I 
> guess.

This method is very common. You have 2 methods here. Both methods will 
give you a central location to control both windows and Freebsd PC's on 
the local LAN as to what ip address they can access.

Replace the main router with your Freebsd gateway box or just cable your 
main router to the Freebsd gateway box running ipfilter or pf firewall 
and dhcp. Then from second nic on the Freebsd gateway box to your 
existing switch. Configure dhcp on the Freebsd gateway box to issue ip 
address in the 10.0.10.0 range and specify the ip addresses of the dns 
servers of the ISP. Enable NAT (network address translation) function of 
the firewall.

If you replace the main router with the Freebsd gateway box, then the 
Freebsd gateway box will get the public routable ip address assigned by 
the ISP. If you place the Freebsd gateway box down stream of the main 
router then it will get 192.168.x.x  ip address from the main router. 
This is ok and will work fine.

You did not say, but some ISP modems have built in routers, if that is 
what you are calling the main router then you can not replace it. Your 
Freebsd gateway box has to be down stream in this case.

Here is a good resource for you to review "Freebsd Install Guide" at 
  www.a1poweruser.com
> 
> snip
> 
> Finally another solution would be to install in each PC a kind of Nanny 
> software but only if free, otherwise is not a solution (I do not know of 
> any yet but will do searching the following hours).
> 
>snip
> 
> 

On each Freebsd pc blocking selected ip addresses can be done using the 
"routed blackhole" command.

Example:

To Add use      route add -host attacker_ip 127.0.0.1 -blackhole

To Delete use   route delete -host attacker_ip 127.0.0.1 -blackhole

To List use     netstat -nr|grep 127

This is executed in the IP stack and is faster than in the firewall when 
you have over 20 of those special "deny this IP address" rules in the 
firewall. In your case the "attacker_ip" is found by using the "dig" 
command, "dig www.facebook.com" returns the ip address of 69.171.228.40

You can create a script (route_blackholed_ip.sh) containing route 
commands for all the IP address that you want to block and save it to 
/usr/local/etc/rc.d/ so it will be run at boot time from the USB thumb 
drives your students use to boot Freebsd from.






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F85880C.7050700>