Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?

Tue Apr 10 17:42:24 UTC 2012

Jorge Biquez <jbiquez at intranet.com.mx> wrote:
>
> Hello all.
>
> One of the managers asked me for help to block some web sites were 
> some students in the other lab and people that helps there waste 
> bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and 
> spend lot of time on facebook also. Our bandwidth is only 4Mb and you 
> understand that with a few that are seeing movies and videos the rest 
> of us can not work at all. Thing is that "other manager" (you know 
> how those things are sometimes) do not want us to do that since his 
> "guru" and expert is the one that controls all the Network. So the 
> best we could get until now is that we can do "all we can" without 
> touching the Cisco routers and until now not administrative password 
> for change anything on the PCs (that could change one we prove that 
> we can have the solution and show it to the board of people that runs 
> the place).

[.. sneck ]]

> So, in this kind of schema. Do you think FreeBSD (even linux) could 
> be of help if we do not have access to routers, switches and can not 
> install new software on the PCs( the ones running XP)?
>
> Any comments you have that could help me to solve this challenge?

This is doable -if- you can insert a, say FreeBSD, box in the network
-between- the labs and the outside world, where all the traffic can
be forced to go -through- that box.  it would basically function as a i
two-port router.   This would probably require 'minor' configuration
changes on the boxes on each side of the box you are adding (tweaking
the 'routing' stuff, because there will be a new device/IP-address
involved).

IF you can get a box in that position, then 'ipfw', or 'pf', the 'firewall'
utilities, will allow you to block traffic to/from selected netblocks.

It will be somewhat 'maintainence' intensive, keeping the address-block
list up to date -- as users find 'new and different' sources for the
'banned' content.

somewhat *more* effective would be a tool that monitors 'who' each
PC in the lab is connected to, -and- an indication of traffic levels
or that PC.   this can be accomplished by a box sitting somwehre that
it can 'see' all the LAN traffic -- does -not- have to be inserted
in-line like the 'filtering' box does.   Something like 'tcpdump' to
capture LAN traffic, piped into a (probably custom) analyzer that tracks
source/dest IP addresses, packet 'data' size, and relevant data 'flags'
(syn/fin mostly) can tell the lab supervisor  which use they need to
'speak firmly' to.  This -is- a 'people' problem, not a technology 
issue -- therefore, make the solution a *people*-based one.