Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
Robert Bonomi
bonomi at mail.r-bonomi.com
Tue Apr 10 17:42:24 UTC 2012
Jorge Biquez <jbiquez at intranet.com.mx> wrote:
>
> Hello all.
>
> One of the managers asked me for help to block some web sites were
> some students in the other lab and people that helps there waste
> bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and
> spend lot of time on facebook also. Our bandwidth is only 4Mb and you
> understand that with a few that are seeing movies and videos the rest
> of us can not work at all. Thing is that "other manager" (you know
> how those things are sometimes) do not want us to do that since his
> "guru" and expert is the one that controls all the Network. So the
> best we could get until now is that we can do "all we can" without
> touching the Cisco routers and until now not administrative password
> for change anything on the PCs (that could change one we prove that
> we can have the solution and show it to the board of people that runs
> the place).
[.. sneck ]]
> So, in this kind of schema. Do you think FreeBSD (even linux) could
> be of help if we do not have access to routers, switches and can not
> install new software on the PCs( the ones running XP)?
>
> Any comments you have that could help me to solve this challenge?
This is doable -if- you can insert a, say FreeBSD, box in the network
-between- the labs and the outside world, where all the traffic can
be forced to go -through- that box. it would basically function as a i
two-port router. This would probably require 'minor' configuration
changes on the boxes on each side of the box you are adding (tweaking
the 'routing' stuff, because there will be a new device/IP-address
involved).
IF you can get a box in that position, then 'ipfw', or 'pf', the 'firewall'
utilities, will allow you to block traffic to/from selected netblocks.
It will be somewhat 'maintainence' intensive, keeping the address-block
list up to date -- as users find 'new and different' sources for the
'banned' content.
somewhat *more* effective would be a tool that monitors 'who' each
PC in the lab is connected to, -and- an indication of traffic levels
or that PC. this can be accomplished by a box sitting somwehre that
it can 'see' all the LAN traffic -- does -not- have to be inserted
in-line like the 'filtering' box does. Something like 'tcpdump' to
capture LAN traffic, piped into a (probably custom) analyzer that tracks
source/dest IP addresses, packet 'data' size, and relevant data 'flags'
(syn/fin mostly) can tell the lab supervisor which use they need to
'speak firmly' to. This -is- a 'people' problem, not a technology
issue -- therefore, make the solution a *people*-based one.
More information about the freebsd-questions
mailing list