Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
jherman at dichotomia.fr
Wed Apr 11 23:24:38 UTC 2012
On 10/04/2012 05:27, Jorge Biquez wrote:
> Hello all.
> I am sorry if this is kind OFF Topic. I am looking for help from more
> experienced people in these areas. Please let me know if this question
> should be moved to FREEBSD-CHAT list.
> As I have mentioned before I am helping a school , non profit with
> their IT issues. As always there are some "experts" that controls
> everything and do not let you change anything because is their
> kingdom. Anyway, there we have Internet service from a cable company
> and they have some cisco routers to receive the access and from there
> some Cisco Switches.
They won't let you do things not because it is their "kingdom", but
because they certainly have a contract with prices for services and
penalties for lack of services. As IT professional they want to make
their lives simpler and have whoever benefits from a service pay for it.
This is a logical and sane attitude to have. Now if you want to meddle
with the stuff they are legally responsible for you need to prove them a
few things :
1 - Nothing you do will impact them in terms of workload. You might be
working for free (and it is very noble of you), but they are trying to
earn their lives here. So more work for the same price is not an option.
2 - You can be trusted and you have good skills. This start by
explaining fully what you want to achieve, how you will do it and (most
important point) how fast anything you do can be undone. No matter what
solution you choose it is likely to have side effects, especially since
you have no knowledge of what is installed and how it is set-up, except
what you can guess probing here and there without administrative rights.
No matter how simple and innocuous you solution may seem, it might break
the first rule, for example a FreeBSD Gateway might prevent patches from
a WSUS server to be applied, it might prevent remote control, it might
prevent alert mails to be sent or received and so on.
3 - You have to right the full documentation of what you are going to
do, give all the administrative password of your solution to the
"experts", complete with a good deal of explanation on how to use,
remove or change the system. It is also important that they know they
can remove your own rights on your own solution if need be. The reason
are you may not always be available and you may not always be lucid or
in good terms with the school. If a problem arise they have to be able
to take full control back, on way or another.
4 - You will find a way to pay them for your solution. Even if you do
everything yourself, and have enough skill to do it right without them
helping at any point (which is extremely unlikely), the time needed for
the "experts" to review, test, validate and potentially maintain your
solution will have to be paid. The closer the solution is to what they
already know and have a staff trained for, the lighter the price. But do
not expect them accept a solution that might bring them troubles but
won't bring them money.
The main problem you might have is that you do not seem to have any
respect for the guys in charge. True I do not know your history with
them, and they may not deserve respect, but as an IT manager for quite a
lot of companies both large and small I can tell you one thing : We
positively loathe the smart guy with a (most of the time very small) IT
background that springs out of nowhere to bring simple solutions to
complex problems. 99.9 % of the time they end up giving up with the job
half done or they disappear just as suddenly as they appeared taking all
their knowledge with them. From the director 13 years old nephew who can
have the thing running in minutes (or so the director seems to think) to
the junior analyst that will replace a behemoth of ETL processed files
and Excel sheets with a single Access app because he has read the first
three chapter of "VBA for Brain Damaged" last week, we see them coming
from miles away and needless to say that there are no warms welcome when
they finally arrive.
The only way to get anywhere is to be humble and then impress the
"experts" with your professional and exhaustive approach of the
problem. Anything else will lead to the "experts" telling you that to
achieve the result you want you will need to purchase the solution they
know (probably a Checkpoint/Baracuda/Blue Coat/what else appliance) and
then pay monthly for maintenance.
There are literally thousands of solutions to your problem, ranging from
simply installing K9 on every computer to a complex set up with QOS,
LDAP/KERBEROS auth and rights delegation going to a redundant active
proxy with cache and filtering.
Given the small size of the lan, an old and small computer with two
ethernet cards and PFSense could probably do the trick, but you will
need insight from the guys in charge to be sure.
Dans Guardian can offer content filtering, but will require more RAM and
Cheap commercial appliances will do everything you need and more for
around 2000$, with a lot less hassle to set up than a custom solution
and a nice technical support from the vendor. Unfortunately a yearly fee
is to be expected for it to work at full potential.
Cheap routers from a wide brand of vendor will do everything you need or
close for around 600$, but the set up will require a lot more knowledge.
Ultra Cheap WRT54GL can do pretty anything you need for around 60$, but
it can be tedious to set up. Other router compatible with OpenWRT can
work too (WZR-HP-AG300H being a good candidate, though I never tested it
More information about the freebsd-questions