From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 13:33:22 2012 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7829E1065679 for ; Wed, 11 Apr 2012 13:33:22 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 459048FC12 for ; Wed, 11 Apr 2012 13:33:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; s=DKIM-NAME-SERVICES; d=a1poweruser.com; h=From:To:Cc:Subject:Message-ID:X-Sender:X-Envelope-From; l=500; bh=ScH0FEgywP9qAHitSs0AC2L1SQOXGmlxPnx+a6/7FPI=; b=PKRU5cluX2qyUWeP1CWKr3qRpPEi7H4T8b+RMfn5e9i1K5YaxxywcOtQ5cDGVypuZ62aUyNvb0sf4l0XpqZu/NhTgp1X68Vng3U6SxblfSdeXK4IVYuGuwwP3LxKFWqC91ELacNhqiz1jgyqCK08uoAfKMDqho9WR3bIam0K9pE= Received: from [10.0.10.1] ([173.88.209.140]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 11 Apr 2012 06:33:03 -0700 Message-ID: <4F85880C.7050700@a1poweruser.com> Date: Wed, 11 Apr 2012 09:33:00 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Jorge Biquez References: <3416873322-176955401@intranet.com.mx> In-Reply-To: <3416873322-176955401@intranet.com.mx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 11 Apr 2012 13:33:03.0865 (UTC) FILETIME=[9F274E90:01CD17E7] X-Sender: fbsd8@a1poweruser.com X-Envelope-From: fbsd8*a1poweruser.com Cc: freebsd-questions@FreeBSD.org Subject: Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 13:33:22 -0000 Jorge Biquez wrote: > Hello all. > >snip > In the classrooms we have very old PCs running XP. In some of my classes > I am using Freebsd and Ubuntu running on a USB. So each student have one > USB and they work that way booting from their 4GB USB stick. (it is slow > but it has worked until now). > > One of the managers asked me for help to block some web sites were some > students in the other lab and people that helps there waste bandwithd > seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of > time on facebook also. Our bandwidth is only 4Mb and you understand that > with a few that are seeing movies and videos the rest of us can not work > at all. > > snip > > Other solution I was thinking while coming home was to convert one > machine there to a freebsd server and use it as a router (if they let > me) so that way I can control from there and do filtering. Issue is that > maybe they do not let me but connect the server as an extra machine > without replacing the main router so in that case I would have 2 DHCP > servers doing the same service in the same lan and could be conflicts I > guess. This method is very common. You have 2 methods here. Both methods will give you a central location to control both windows and Freebsd PC's on the local LAN as to what ip address they can access. Replace the main router with your Freebsd gateway box or just cable your main router to the Freebsd gateway box running ipfilter or pf firewall and dhcp. Then from second nic on the Freebsd gateway box to your existing switch. Configure dhcp on the Freebsd gateway box to issue ip address in the 10.0.10.0 range and specify the ip addresses of the dns servers of the ISP. Enable NAT (network address translation) function of the firewall. If you replace the main router with the Freebsd gateway box, then the Freebsd gateway box will get the public routable ip address assigned by the ISP. If you place the Freebsd gateway box down stream of the main router then it will get 192.168.x.x ip address from the main router. This is ok and will work fine. You did not say, but some ISP modems have built in routers, if that is what you are calling the main router then you can not replace it. Your Freebsd gateway box has to be down stream in this case. Here is a good resource for you to review "Freebsd Install Guide" at www.a1poweruser.com > > snip > > Finally another solution would be to install in each PC a kind of Nanny > software but only if free, otherwise is not a solution (I do not know of > any yet but will do searching the following hours). > >snip > > On each Freebsd pc blocking selected ip addresses can be done using the "routed blackhole" command. Example: To Add use route add -host attacker_ip 127.0.0.1 -blackhole To Delete use route delete -host attacker_ip 127.0.0.1 -blackhole To List use netstat -nr|grep 127 This is executed in the IP stack and is faster than in the firewall when you have over 20 of those special "deny this IP address" rules in the firewall. In your case the "attacker_ip" is found by using the "dig" command, "dig www.facebook.com" returns the ip address of 69.171.228.40 You can create a script (route_blackholed_ip.sh) containing route commands for all the IP address that you want to block and save it to /usr/local/etc/rc.d/ so it will be run at boot time from the USB thumb drives your students use to boot Freebsd from.