From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 23:24:38 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92FC11065670 for ; Wed, 11 Apr 2012 23:24:38 +0000 (UTC) (envelope-from jherman@dichotomia.fr) Received: from mail.dichotomia.fr (hydrogen.dichotomia.net [91.121.82.228]) by mx1.freebsd.org (Postfix) with ESMTP id 3F34C8FC12 for ; Wed, 11 Apr 2012 23:24:38 +0000 (UTC) Received: from [192.168.2.11] (unknown [109.190.13.180]) (Authenticated sender: kha@dichotomia.fr) by sslmail.dichotomia.fr (Postfix) with ESMTPSA id 481A53DD07C for ; Thu, 12 Apr 2012 01:14:07 +0200 (CEST) Message-ID: <4F86102B.2050205@dichotomia.fr> Date: Thu, 12 Apr 2012 01:13:47 +0200 From: Jerome Herman User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <3416873322-176955401@intranet.com.mx> In-Reply-To: <3416873322-176955401@intranet.com.mx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (sslmail.dichotomia.fr); Thu, 12 Apr 2012 01:14:07 +0200 (CEST) Subject: Re: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 23:24:38 -0000 On 10/04/2012 05:27, Jorge Biquez wrote: > Hello all. > > I am sorry if this is kind OFF Topic. I am looking for help from more > experienced people in these areas. Please let me know if this question > should be moved to FREEBSD-CHAT list. > > As I have mentioned before I am helping a school , non profit with > their IT issues. As always there are some "experts" that controls > everything and do not let you change anything because is their > kingdom. Anyway, there we have Internet service from a cable company > and they have some cisco routers to receive the access and from there > some Cisco Switches. They won't let you do things not because it is their "kingdom", but because they certainly have a contract with prices for services and penalties for lack of services. As IT professional they want to make their lives simpler and have whoever benefits from a service pay for it. This is a logical and sane attitude to have. Now if you want to meddle with the stuff they are legally responsible for you need to prove them a few things : 1 - Nothing you do will impact them in terms of workload. You might be working for free (and it is very noble of you), but they are trying to earn their lives here. So more work for the same price is not an option. 2 - You can be trusted and you have good skills. This start by explaining fully what you want to achieve, how you will do it and (most important point) how fast anything you do can be undone. No matter what solution you choose it is likely to have side effects, especially since you have no knowledge of what is installed and how it is set-up, except what you can guess probing here and there without administrative rights. No matter how simple and innocuous you solution may seem, it might break the first rule, for example a FreeBSD Gateway might prevent patches from a WSUS server to be applied, it might prevent remote control, it might prevent alert mails to be sent or received and so on. 3 - You have to right the full documentation of what you are going to do, give all the administrative password of your solution to the "experts", complete with a good deal of explanation on how to use, remove or change the system. It is also important that they know they can remove your own rights on your own solution if need be. The reason are you may not always be available and you may not always be lucid or in good terms with the school. If a problem arise they have to be able to take full control back, on way or another. 4 - You will find a way to pay them for your solution. Even if you do everything yourself, and have enough skill to do it right without them helping at any point (which is extremely unlikely), the time needed for the "experts" to review, test, validate and potentially maintain your solution will have to be paid. The closer the solution is to what they already know and have a staff trained for, the lighter the price. But do not expect them accept a solution that might bring them troubles but won't bring them money. The main problem you might have is that you do not seem to have any respect for the guys in charge. True I do not know your history with them, and they may not deserve respect, but as an IT manager for quite a lot of companies both large and small I can tell you one thing : We positively loathe the smart guy with a (most of the time very small) IT background that springs out of nowhere to bring simple solutions to complex problems. 99.9 % of the time they end up giving up with the job half done or they disappear just as suddenly as they appeared taking all their knowledge with them. From the director 13 years old nephew who can have the thing running in minutes (or so the director seems to think) to the junior analyst that will replace a behemoth of ETL processed files and Excel sheets with a single Access app because he has read the first three chapter of "VBA for Brain Damaged" last week, we see them coming from miles away and needless to say that there are no warms welcome when they finally arrive. The only way to get anywhere is to be humble and then impress the "experts" with your professional and exhaustive approach of the problem. Anything else will lead to the "experts" telling you that to achieve the result you want you will need to purchase the solution they know (probably a Checkpoint/Baracuda/Blue Coat/what else appliance) and then pay monthly for maintenance. There are literally thousands of solutions to your problem, ranging from simply installing K9 on every computer to a complex set up with QOS, LDAP/KERBEROS auth and rights delegation going to a redundant active proxy with cache and filtering. Given the small size of the lan, an old and small computer with two ethernet cards and PFSense could probably do the trick, but you will need insight from the guys in charge to be sure. Dans Guardian can offer content filtering, but will require more RAM and CPU power. Cheap commercial appliances will do everything you need and more for around 2000$, with a lot less hassle to set up than a custom solution and a nice technical support from the vendor. Unfortunately a yearly fee is to be expected for it to work at full potential. Cheap routers from a wide brand of vendor will do everything you need or close for around 600$, but the set up will require a lot more knowledge. Ultra Cheap WRT54GL can do pretty anything you need for around 60$, but it can be tedious to set up. Other router compatible with OpenWRT can work too (WZR-HP-AG300H being a good candidate, though I never tested it myself)