Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
fbsd8 at a1poweruser.com
Wed Apr 11 13:33:22 UTC 2012
Jorge Biquez wrote:
> Hello all.
> In the classrooms we have very old PCs running XP. In some of my classes
> I am using Freebsd and Ubuntu running on a USB. So each student have one
> USB and they work that way booting from their 4GB USB stick. (it is slow
> but it has worked until now).
> One of the managers asked me for help to block some web sites were some
> students in the other lab and people that helps there waste bandwithd
> seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of
> time on facebook also. Our bandwidth is only 4Mb and you understand that
> with a few that are seeing movies and videos the rest of us can not work
> at all.
> Other solution I was thinking while coming home was to convert one
> machine there to a freebsd server and use it as a router (if they let
> me) so that way I can control from there and do filtering. Issue is that
> maybe they do not let me but connect the server as an extra machine
> without replacing the main router so in that case I would have 2 DHCP
> servers doing the same service in the same lan and could be conflicts I
This method is very common. You have 2 methods here. Both methods will
give you a central location to control both windows and Freebsd PC's on
the local LAN as to what ip address they can access.
Replace the main router with your Freebsd gateway box or just cable your
main router to the Freebsd gateway box running ipfilter or pf firewall
and dhcp. Then from second nic on the Freebsd gateway box to your
existing switch. Configure dhcp on the Freebsd gateway box to issue ip
address in the 10.0.10.0 range and specify the ip addresses of the dns
servers of the ISP. Enable NAT (network address translation) function of
If you replace the main router with the Freebsd gateway box, then the
Freebsd gateway box will get the public routable ip address assigned by
the ISP. If you place the Freebsd gateway box down stream of the main
router then it will get 192.168.x.x ip address from the main router.
This is ok and will work fine.
You did not say, but some ISP modems have built in routers, if that is
what you are calling the main router then you can not replace it. Your
Freebsd gateway box has to be down stream in this case.
Here is a good resource for you to review "Freebsd Install Guide" at
> Finally another solution would be to install in each PC a kind of Nanny
> software but only if free, otherwise is not a solution (I do not know of
> any yet but will do searching the following hours).
On each Freebsd pc blocking selected ip addresses can be done using the
"routed blackhole" command.
To Add use route add -host attacker_ip 127.0.0.1 -blackhole
To Delete use route delete -host attacker_ip 127.0.0.1 -blackhole
To List use netstat -nr|grep 127
This is executed in the IP stack and is faster than in the firewall when
you have over 20 of those special "deny this IP address" rules in the
firewall. In your case the "attacker_ip" is found by using the "dig"
command, "dig www.facebook.com" returns the ip address of 184.108.40.206
You can create a script (route_blackholed_ip.sh) containing route
commands for all the IP address that you want to block and save it to
/usr/local/etc/rc.d/ so it will be run at boot time from the USB thumb
drives your students use to boot Freebsd from.
More information about the freebsd-questions