Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2012 01:13:47 +0200
From:      Jerome Herman <>
Subject:   Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 10/04/2012 05:27, Jorge Biquez wrote:
> Hello all.
> I am sorry if this is kind OFF Topic. I am looking for help from more 
> experienced people in these areas. Please let me know if this question 
> should be moved to FREEBSD-CHAT list.
> As I have mentioned before I am helping a school , non profit with 
> their IT issues. As always there are some "experts" that controls 
> everything and do not let you change anything because is their 
> kingdom. Anyway, there we have Internet service  from a cable company 
> and they have some cisco routers to receive the access and from there 
> some Cisco Switches.

They won't let you do things not because it is their "kingdom", but 
because they certainly have a contract with prices for services and 
penalties for lack of services. As IT professional they want to make 
their lives simpler and have whoever benefits from a service pay for it.
This is a logical and sane attitude to have. Now if you want to meddle 
with the stuff they are legally responsible for you need to prove them a 
few things :
1 - Nothing you do will impact them in terms of workload. You might be 
working for free (and it is very noble of you), but they are trying to 
earn their lives here. So more work for the same price is not an option.
2 - You can be trusted and you have good skills. This start by 
explaining fully what you want to achieve, how you will do it and (most 
important point) how fast anything you do can be undone. No matter what 
solution you choose it is likely to have side effects, especially since 
you have no knowledge of what is installed and how it is set-up, except 
what you can guess probing here and there without administrative rights. 
No matter how simple and innocuous you solution may seem, it might break 
the first rule, for example a FreeBSD Gateway might prevent patches from 
a WSUS server to be applied, it might prevent remote control, it might 
prevent alert mails to be sent or received and so on.
3 - You have to right the full documentation of what you are going to 
do, give all the administrative password of your solution to the 
"experts", complete with a good deal of explanation on how to use, 
remove or change the system. It is also important that they know they 
can remove your own rights on your own solution if need be. The reason 
are you may not always be available and you may not always be lucid or 
in good terms with the school. If a problem arise they have to be able 
to take full control back, on way or another.
4 - You will find a way to pay them for your solution. Even if you do 
everything yourself, and have enough skill to do it right without them 
helping at any point (which is extremely unlikely), the time needed for 
the "experts" to review, test, validate and potentially maintain your 
solution will have to be paid.   The closer the solution is to what they 
already know and have a staff trained for, the lighter the price. But do 
not expect them accept a solution that might bring them troubles but 
won't bring them money.

The main problem you might have is that you do not seem to have any 
respect for the guys in charge. True I do not know your history with 
them, and they may not deserve respect, but as an IT manager for quite a 
lot of companies both large and small I can tell you one thing : We 
positively loathe the smart guy with a (most of the time very small) IT 
background that springs out of nowhere to bring simple solutions to 
complex problems. 99.9 % of the time they end up giving up with the job 
half done or they disappear just as suddenly as they appeared taking all 
their knowledge with them. From the director 13 years old nephew who can 
have the thing running in minutes (or so the director seems to think) to 
the junior analyst that will replace a behemoth of ETL processed files 
and Excel sheets with a single Access app because he has read the first 
three chapter of "VBA for Brain Damaged" last week,  we see them coming 
from miles away and needless to say that there are no warms welcome when 
they finally arrive.
The only way to get anywhere is to be humble and then impress the 
"experts" with your professional and exhaustive approach of the 
problem.  Anything else will lead to the "experts" telling you that to 
achieve the result you want you will need to purchase the solution they 
know (probably a Checkpoint/Baracuda/Blue Coat/what else appliance) and 
then pay monthly for maintenance.

There are literally thousands of solutions to your problem, ranging from 
simply installing K9 on every computer to a complex set up with QOS, 
LDAP/KERBEROS auth and rights delegation going to a redundant active 
proxy with cache and filtering.

Given the small size of the lan, an old and small computer with two 
ethernet cards and PFSense could probably do the trick, but you will 
need insight from the guys in charge to be sure.
Dans Guardian can offer content filtering, but will require more RAM and 
CPU power.
Cheap commercial appliances will do everything you need and more for 
around 2000$, with a lot less hassle to set up than a custom solution 
and a nice technical support from the vendor. Unfortunately a yearly fee 
is to be expected for it to work at full potential.
Cheap routers from a wide brand of vendor will do everything you need or 
close for around 600$, but the set up will require a lot more knowledge.
Ultra Cheap WRT54GL can do pretty anything you need for around 60$, but 
it can be tedious to set up. Other router compatible with OpenWRT can 
work too (WZR-HP-AG300H being a good candidate, though I never tested it 

Want to link to this message? Use this URL: <>