[gentoo-user] internet/lan access control

[gentoo-user] internet/lan access control

[Michael W. Holdeman]

I have a home and office LAN using comcast broadband cable for access. My 
office and laptop is Linus, the kids home computers for homeschooling are 
running xp-home. I want to switch the home machines to linux desktops and use 
vmware for running their homeschooling software.
Problem is I like the comcast security manager system, It regulates the kids 
access and is very easy (gui) to manage. It is however being replaced by 
mcafee's system. It is not nearly as good.
Does anyone know of a system I can use in Linux on say a firewall, or gateway 
machine (gw is now a linksys wireless router) that is easy to work with and 
maintain that will regulate specific users internet access time etc...

Mike
-- 
 
Michael W. Holdeman


________________________________________
Powered by Gentoo Linux www.gentoo.org  |
Kernel 2.6.11-ck8                       |
Win4Lin 5-1-20 netraverse.com           |
Win4LinPro 6.1.1-03 win4lin.com         |
________________________________________|
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: internet/lan access control

[James]

Michael W. Holdeman <lists <at> ptfd.org> writes:


> I have a home and office LAN using comcast broadband cable for access. My 
> office and laptop is Linus, the kids home computers for homeschooling are 
> running xp-home. I want to switch the home machines to linux desktops and 
> use vmware for running their homeschooling software.
> Problem is I like the comcast security manager system, It regulates the kids 
> access and is very easy (gui) to manage. It is however being replaced by 
> mcafee's system. It is not nearly as good.
> Does anyone know of a system I can use in Linux on say a firewall, 
or gateway machine (gw is now a linksys wireless router) that is easy 
to work with and maintain that will regulate specific users internet 
access time etc...


Well, there are lot's of ways to 'skin the cat' here.

Here's a good overview of some of the tools tools that you could use:
http://www.gentoo.org/doc/en/security/
security-handbook.xml?part=1&chap=12#doc_chap1
The section on Squid would apply particularly to you.

<snip>
In this case, my policy states:
    * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and sat
8-13), but if employees are here late they should work, not surf
    * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi,
.mpg, .mpeg, etc)
    * We do not like banners, so they are filtered and replaced with a
transparent gif (this is where you get creative!).
    * All other connections to and from the Internet are denied.
<snip>

You'll most likely need a good firewall and an Aplication Level Gateway (ALG)
to get roboust control of your networks.

On the firewall side of things, I have taken the 'painful' but superior route
to learning/testing/reading/test/reading_some_more/testing.....
to use raw ipfilter/netfilter to achieve fine grain control of networks.

Others will recommend you use a 'canned firewall' technology, such as
shorewall, fwbuilder (etc) along with various packages that create
your ALG. 

Learning raw ipfilter/netfilter is a very time consuming process, but,
well worth the effort, in my experience. With the help of this list,
you can achieve robust control over your networks, but, it
does take time.  The good thing about investing the time in a linux
setting, is once you have a network management system in place, it's
very straight forward to maintain, you do not have to spend money
or waste time on vendors, and you learn how to *TEST* what you have
to verify it works properly. Using a vendor, makes you subjectively
vulnerable to the vendor's financial goals and technical limitations.
You'll not likely be able to afford a company that has 1/10th the
security expertise, that this list offers for free. 

Regardless of the path you choose, you have to test, modify and test
your network again, with a variety of tools, to ensure robust content
control and sufficient security.

I'll assume you want the easy, minimal_pain route to controlling your
networks, so I'll let the others pitch easy solutions, that allow
use of software package  such as shorewall + squid etc.

If you want some more links to read about raw ipfilters, just let me know.

HTH,
James


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: internet/lan access control

[John Jolet]

On Thursday 27 October 2005 07:53, James wrote:
> Well, there are lot's of ways to 'skin the cat' here.
>
> Here's a good overview of some of the tools tools that you could use:
> http://www.gentoo.org/doc/en/security/
> security-handbook.xml?part=1&chap=12#doc_chap1
> The section on Squid would apply particularly to you.
>
> <snip>
> In this case, my policy states:
>     * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and
> sat 8-13), but if employees are here late they should work, not surf
>     * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi,
> .mpg, .mpeg, etc)
>     * We do not like banners, so they are filtered and replaced with a
> transparent gif (this is where you get creative!).
>     * All other connections to and from the Internet are denied.
> <snip>
would it be possible to see an example of the squid config that does this?
>
> You'll most likely need a good firewall and an Aplication Level Gateway
> (ALG) to get roboust control of your networks.
>
> On the firewall side of things, I have taken the 'painful' but superior
> route to learning/testing/reading/test/reading_some_more/testing.....
> to use raw ipfilter/netfilter to achieve fine grain control of networks.
>
> Others will recommend you use a 'canned firewall' technology, such as
> shorewall, fwbuilder (etc) along with various packages that create
> your ALG.
>
> Learning raw ipfilter/netfilter is a very time consuming process, but,
> well worth the effort, in my experience. With the help of this list,
> you can achieve robust control over your networks, but, it
> does take time.  The good thing about investing the time in a linux
> setting, is once you have a network management system in place, it's
> very straight forward to maintain, you do not have to spend money
> or waste time on vendors, and you learn how to *TEST* what you have
> to verify it works properly. Using a vendor, makes you subjectively
> vulnerable to the vendor's financial goals and technical limitations.
> You'll not likely be able to afford a company that has 1/10th the
> security expertise, that this list offers for free.
>
> Regardless of the path you choose, you have to test, modify and test
> your network again, with a variety of tools, to ensure robust content
> control and sufficient security.
>
> I'll assume you want the easy, minimal_pain route to controlling your
> networks, so I'll let the others pitch easy solutions, that allow
> use of software package  such as shorewall + squid etc.
>
> If you want some more links to read about raw ipfilters, just let me know.
>
> HTH,
> James

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: internet/lan access control

[James]

John Jolet <john <at> jolet.net> writes:



> > http://www.gentoo.org/doc/en/security/
> > security-handbook.xml?part=1&chap=12#doc_chap1
> > The section on Squid would apply particularly to you.


> > In this case, my policy states:
> >     * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and
> > sat 8-13), but if employees are here late they should work, not surf
> >     * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi,
> > .mpg, .mpeg, etc)
> >     * We do not like banners, so they are filtered and replaced with a
> > transparent gif (this is where you get creative!).
> >     * All other connections to and from the Internet are denied.

> would it be possible to see an example of the squid config that does this?

As stated above:
www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12#doc_chap1


I'm still testing my raw setup of iptables. When I'm done and
 somewhat satisfied
with my iptables setup, then, I'll be drilling into the Application Level Gateway
implementaion, squid being one possibility. I intend 
to document what I end
up with, as most of what's on the net is old/dated and 
does not use the latest
features of iptables or they are trite examples such as a
 dual ethernet based
firewall....

Hopefully, google & searches will return many examples of ALG setups, 
but, they may not be specific enough to Gentoo......... 
If sufficient examples do not exist, we should share information on this
list, and create a detailed, Gentoo Specific web page for 
iptables howto + ALG howto, as they need to work together
with tight synchronization.

Yet others may suggest shorewall + squid, but, I do not have any
interest in shorewall.  IPfilter/netfilter, is portable (somewhat)
to embedded linux systems and other embedded derivatives,
and that is my ultimate focus. 



hth,
James






-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: internet/lan access control

[Michael W. Holdeman]

On Thursday 27 October 2005 08:53, James wrote:
> Michael W. Holdeman <lists <at> ptfd.org> writes:
> > I have a home and office LAN using comcast broadband cable for access. My
> > office and laptop is Linus, the kids home computers for homeschooling are
> > running xp-home. I want to switch the home machines to linux desktops and
> > use vmware for running their homeschooling software.
> > Problem is I like the comcast security manager system, It regulates the
> > kids access and is very easy (gui) to manage. It is however being
> > replaced by mcafee's system. It is not nearly as good.
> > Does anyone know of a system I can use in Linux on say a firewall,
>
> or gateway machine (gw is now a linksys wireless router) that is easy
> to work with and maintain that will regulate specific users internet
> access time etc...
>
>
> Well, there are lot's of ways to 'skin the cat' here.
>
> Here's a good overview of some of the tools tools that you could use:
> http://www.gentoo.org/doc/en/security/
> security-handbook.xml?part=1&chap=12#doc_chap1
> The section on Squid would apply particularly to you.
>
> <snip>
> In this case, my policy states:
>     * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and
> sat 8-13), but if employees are here late they should work, not surf
>     * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi,
> .mpg, .mpeg, etc)
>     * We do not like banners, so they are filtered and replaced with a
> transparent gif (this is where you get creative!).
>     * All other connections to and from the Internet are denied.
> <snip>
>
> You'll most likely need a good firewall and an Aplication Level Gateway
> (ALG) to get roboust control of your networks.
>
> On the firewall side of things, I have taken the 'painful' but superior
> route to learning/testing/reading/test/reading_some_more/testing.....
> to use raw ipfilter/netfilter to achieve fine grain control of networks.
>
> Others will recommend you use a 'canned firewall' technology, such as
> shorewall, fwbuilder (etc) along with various packages that create
> your ALG.
>
> Learning raw ipfilter/netfilter is a very time consuming process, but,
> well worth the effort, in my experience. With the help of this list,
> you can achieve robust control over your networks, but, it
> does take time.  The good thing about investing the time in a linux
> setting, is once you have a network management system in place, it's
> very straight forward to maintain, you do not have to spend money
> or waste time on vendors, and you learn how to *TEST* what you have
> to verify it works properly. Using a vendor, makes you subjectively
> vulnerable to the vendor's financial goals and technical limitations.
> You'll not likely be able to afford a company that has 1/10th the
> security expertise, that this list offers for free.
>
> Regardless of the path you choose, you have to test, modify and test
> your network again, with a variety of tools, to ensure robust content
> control and sufficient security.
>
> I'll assume you want the easy, minimal_pain route to controlling your
> networks, so I'll let the others pitch easy solutions, that allow
> use of software package  such as shorewall + squid etc.
>
> If you want some more links to read about raw ipfilters, just let me know.
>
Thanks James,
Your response is very helpfull. I was thinking about squid, fwbuilder to get 
the base up and going. I will read more, as for some reason I was under the 
impression I could use fwbuilder and then add more using raw ipfilters as I 
learned more. I have used DansGuardian and squid in teh past for content 
filtering and was happy with the way that worked, so this would just add to 
the knowledge and ops I need for that type of implementation.

Thanks again for your help, I am sure I will have more ?'s as I get into it. 
Today I have to figure out what mssql needs for my kids homeschool app, as it 
needs a dedicated mssql server, And I was hoping to put the files on my FBSD 
file server and just access from the win2000/vmware/gentoo desktops.....

(and I'm late getting it setup, my wife is getting cranky about the kids not 
on their work already!!)


Mike



Michael W. Holdeman


________________________________________
Powered by Gentoo Linux www.gentoo.org  |
Kernel 2.6.11-ck8                       |
Win4Lin 5-1-20 netraverse.com           |
Win4LinPro 6.1.1-03 win4lin.com         |
________________________________________|
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: internet/lan access control

[James]

Michael W. Holdeman <lists <at> ptfd.org> writes:


www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12#doc_chap1


> Your response is very helpfull. I was thinking about squid, fwbuilder to get 
> the base up and going. I will read more, as for some reason I was under the 
> impression I could use fwbuilder and then add more using raw ipfilters as I 
> learned more. 

Yes let me know how it works out using fwbuilder for a default set
of rules. I think fwbuilder will embed some additional shell code
into the startup script. Keep me posted on how this approach works out.

If directly edit  /etc/init.d/iptables/firewall.sh with vi, 
it will give you a minimal template:
!/sbin/runscript
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
}
start() {
}
stop() {
}
restart() {
}


Also look at these pages pages for general help:

gentoo-wiki.com/HOWTO_Iptables_for_newbies#Another_iptables_startup_script
www.gentoo.org/doc/en/home-router-howto.xml
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#PREPARATIONS

http://forums.gentoo.org/viewtopic-p-1436652-highlight-iptables+
rulesets.html?sid=b777f7a8f3ef392e9cb4d14f0bcccfa1#1436652



> I have used DansGuardian and squid in teh past for content 
> filtering and was happy with the way that worked, so this would just add to 
> the knowledge and ops I need for that type of implementation.

OK, I'll look into DansGuardian. Maybe we should put together a web page
that deails a (3) nic setup, either dhcp or single static ip
the the net, a DMZ for unrestricted access, and optional web server,
DNS server(s), email server and an internal LAN?

iptables  + ALG (DansGaurdian +squid) as the foundation, because I'm
sure there are hundreds if not thousands of folks that could use this
guide. Particularly if were Gentoo specific and had serveral 
iptables templates to choose from, where the DMZ
and it's various services can be provide via outside (ISP)services
or migrated internally via your own Gentoo servers. 

Any interest in sharing your solutions with a wider audience?

> Thanks again for your help, I am sure I will have more ?'s 
> Mike

Yea, I have young kids too, and for now, I rarely let them on the net,
because they are young, and I think math & programming skills should 
come before exploring  via tcp/ip. (does assembler seem harsh?)

However, the day is fast approaching that I will need to build a  
a monitoring and control system to restict access to adult materials,
and monitor the activities that are a result of those 
puberty based hormones

Don't hesitate to ask, publically or privately.

James

-- 
gentoo-user@gentoo.org mailing list