Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?

Hello all.

I am sorry if this is kind OFF Topic. I am looking for help from more
experienced people in these areas. Please let me know if this
question should be moved to FREEBSD-CHAT list.

As I have mentioned before I am helping a school , non profit with
their IT issues. As always there are some "experts" that controls
everything and do not let you change anything because is their
kingdom. Anyway, there we have Internet service  from a cable company
and they have some cisco routers to receive the access and from there
some Cisco Switches.
In the classrooms we have very old PCs running XP. In some of my
classes I am using Freebsd and Ubuntu running on a USB. So each
student have one USB and they work that way booting from their 4GB
USB stick. (it is slow but it has worked until now).

One of the managers asked me for help to block some web sites were
some students in the other lab and people that helps there waste
bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and
spend lot of time on facebook also. Our bandwidth is only 4Mb and you
understand that with a few that are seeing movies and videos the rest
of us can not work at all. Thing is that "other manager" (you know
how those things are sometimes) do not want us to do that since his
"guru" and expert is the one that controls all the Network. So the
best we could get until now is that we can do "all we can" without
touching the Cisco routers and until now not administrative password
for change anything on the PCs (that could change one we prove that
we can have the solution and show it to the board of people that runs
the place).

The Internet provider gives the DNS servers to use and one of the
routers gives the DHCP service.

First thing I thought was to change the DNS servers and use the one
from my small office (running Freebsd 7.3) using Bind there and
simply block there pointing the sites to nothing in the Apache
configuration. It does not work. Once changed the DNS values the PC
does not resolve anything. It was a quick test but that does not
work. Not sure if Internet provider is blocking in some way that we
can not use other DNS server but theirs.

Other solution I was thinking while coming home was to convert one
machine there to a freebsd server and use it as a router (if they let
me) so that way I can control from there and do filtering. Issue is
that maybe they do not let me but connect the server as an extra
machine without replacing the main router so in that case I would
have 2 DHCP servers doing the same service in the same lan and could
be conflicts I guess.

Another solution a friend suggested was to buy one small router (from
my money for sure) and let that small router to receive the internet
(RJ45) and from that with the small 4 port switch included to provide
the internet to the switches to feed the labs , library and
administrative offices. I have never use one of those and I am short
on money so I would like to explore other alternatives before if possible.

Finally another solution would be to install in each PC a kind of
Nanny software but only if free, otherwise is not a solution (I do
not know of any yet but will do searching the following hours).

I know all can be solved if the "guru-expert" guy would let me have
passwords from PC's, router, etc but that won't be an option since
they think we would try to take the control of those services (we do
not want that) so the burocracy could be a problem there. He have
told them that to block is not possible (they have been working that
way for years).

So, in this kind of schema. Do you think FreeBSD (even linux) could
be of help if we do not have access to routers, switches and can not
install new software on the PCs( the ones running XP)?

Any comments you have that could help me to solve this challenge?

Thanks in advance for your time and comments.

Jorge Biquez

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

I've been in this position before. Transparent proxy running Squid and  
Dansguardian will solve most of your problems. And having a local cache  
will help fix your low bandwidth issue. Your skill level and networking  
knowledge will determine how achievable this is, but it's a great solution  
when you have it in place.

Good luck!
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

Jorge Biquez writes:

>  Any comments you have that could help me to solve this challenge?

        Yes.
        You do not have a technical problem.
        You have a management problem.
        Fix that, and the technical issues will be (comparatively)
trivial.


                                        Robert Huff

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

Hello.

Yes I know and we ill do our best to solve it... but if that does not
work, then I still will try to solve it technically in some way if possible.

Jorge Biquez

At 10:42 p.m. 09/04/2012, Robert Huff wrote:

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On 04/10/12 13:46, Jorge Biquez wrote:
> Hello.
>
> Yes I know and we ill do our best to solve it... but if that does not
> work, then I still will try to solve it technically in some way if
> possible.

For the interim (and as a POC), setup squid and dans guardian and point
the browsers to proxy using that machine. Prove your point and then
explain that this can be done transparently if you had some control of
the routers.

All that is necessary for transparent proxy is to reroute port 80
traffic from the network to the squid server then.

HTH
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On 4/9/2012 10:27 PM, Jorge Biquez wrote:
>
> As always there are some "experts" that controls everything
> and do not let you change anything because is their kingdom.

What do they control?  The network infrastructure?

> One of the managers asked me for help to block some web sites were some
> students in the other lab and people that helps there waste bandwithd
> seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of
> time on facebook also.

This is a network issue.  You can try to detect a client using too much
bandwith for a period of time, and then throttle them.  Dropping tcp
packets will force throttling.  Blocking websites is more effective at a
firewall than a desktop.

> with a few that are seeing movies and videos the rest of us can not work
> at all. Thing is that "other manager" (you know how those things are
> sometimes) do not want us to do that since his "guru" and expert is the
> one that controls all the Network. So the best we could get until now is
> that we can do "all we can" without touching the Cisco routers and until
> now not administrative password for change anything on the PCs (that
> could change one we prove that we can have the solution and show it to
> the board of people that runs the place).

They're asking you to fix a network problem but refuse to give you
control of the network.  Ask the administrators what happens if all the
software you've installed is bypassed by someone bringing in a laptop,
or you switch to WiFi and everyone's on a cell phone you done control.
Deal with the problem at the network.

Google is 8.8.8.8 and 8.8.4.4, easy enough to remember, and circumvent.

> Other solution I was thinking while coming home was to convert one
> machine there to a freebsd server and use it as a router (if they let
> me) so that way I can control from there and do filtering. Issue is that
> maybe they do not let me but connect the server as an extra machine
> without replacing the main router so in that case I would have 2 DHCP
> servers doing the same service in the same lan and could be conflicts I
> guess.

That's affecting the network and causing a mess for no good reason.

> Another solution a friend suggested was to buy one small router (from my
> money for sure) and let that small router to receive the internet (RJ45)
> and from that with the small 4 port switch included to provide the
> internet to the switches to feed the labs , library and administrative
> offices. I have never use one of those and I am short on money so I
> would like to explore other alternatives before if possible.

Adding a router won't help for the real problem.

> Finally another solution would be to install in each PC a kind of Nanny
> software but only if free, otherwise is not a solution (I do not know of
> any yet but will do searching the following hours).

And then you have to trust the software.  Some software will ban health
information, such as breast cancer, but because of so many porn websites
created so fast they can still allow porn.  In any case, it's just a
firewall.

> I know all can be solved if the "guru-expert" guy would let me have
> passwords from PC's, router, etc but that won't be an option since they
> think we would try to take the control of those services (we do not want
> that) so the burocracy could be a problem there. He have told them that
> to block is not possible (they have been working that way for years).

The block is possible, but it's a network issue, the other guy.  Either
he does it, or you take over the network.  The more centralized and
built into the network it is, the more effective it is.

> So, in this kind of schema. Do you think FreeBSD (even linux) could be
> of help if we do not have access to routers, switches and can not
> install new software on the PCs( the ones running XP)?

No.  You lack the network control to control student's computer use.

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

Jorge Biquez <[hidden email]> wrote:
[.. sneck ]]

> So, in this kind of schema. Do you think FreeBSD (even linux) could
> be of help if we do not have access to routers, switches and can not
> install new software on the PCs( the ones running XP)?
>
> Any comments you have that could help me to solve this challenge?

This is doable -if- you can insert a, say FreeBSD, box in the network
-between- the labs and the outside world, where all the traffic can
be forced to go -through- that box.  it would basically function as a i
two-port router.   This would probably require 'minor' configuration
changes on the boxes on each side of the box you are adding (tweaking
the 'routing' stuff, because there will be a new device/IP-address
involved).

IF you can get a box in that position, then 'ipfw', or 'pf', the 'firewall'
utilities, will allow you to block traffic to/from selected netblocks.

It will be somewhat 'maintainence' intensive, keeping the address-block
list up to date -- as users find 'new and different' sources for the
'banned' content.

somewhat *more* effective would be a tool that monitors 'who' each
PC in the lab is connected to, -and- an indication of traffic levels
or that PC.   this can be accomplished by a box sitting somwehre that
it can 'see' all the LAN traffic -- does -not- have to be inserted
in-line like the 'filtering' box does.   Something like 'tcpdump' to
capture LAN traffic, piped into a (probably custom) analyzer that tracks
source/dest IP addresses, packet 'data' size, and relevant data 'flags'
(syn/fin mostly) can tell the lab supervisor  which use they need to
'speak firmly' to.  This -is- a 'people' problem, not a technology
issue -- therefore, make the solution a *people*-based one.

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On Mon, 09 Apr 2012 23:21:58 -0500, Da Rock  
<[hidden email]> wrote
>
> For the interim (and as a POC), setup squid and dans guardian and point  
> the browsers to proxy using that machine. Prove your point and then  
> explain that this can be done transparently if you had some control of  
> the routers.
>

He could just do a MITM on the default gateway via ettercap. Not very  
ethical, but it would certainly work ^_^
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

Hi,

On Tuesday 10 April 2012 10:27:24 Jorge Biquez wrote:
>
> As I have mentioned before I am helping a school , non profit with

non profit --> no cost?

> One of the managers asked me for help to block some web sites were

Have you checked hosts?

A rough but easy way.

Erich
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

At 05:27 10/04/2012, you wrote:
>Hello all.
>
>
>Thanks in advance for your time and comments.

Perhaps this app may help you:

http://sourceforge.net/projects/teachercp/

There are commercial apps too that do the same and more.

HTH

>Jorge Biquez


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On Tue, 10 Apr 2012 at 05:27:24, Jorge Biquez wrote:
You could ask the "guru-expert" guy to implement traffic shaping like
weighted fair queuing and prioritizing SYN's etc. That way people can watch
all the videos they want without it affecting the work of others.

You can also implement it yourself transparently with a FreeBSD box with two
adapters bridged and something like ipfw+dummynet, you'd just need to insert
it somewhere in the route (before any masquerading is performed though).

--
Regards,
T. Koeman, MTh/BSc/BPsy; Technical Monk

MediaMonks B.V. (www.mediamonks.com)
Please quote relevant replies in correspondence.

Jorge Biquez wrote:  >
> snip
>
> Other solution I was thinking while coming home was to convert one
> machine there to a freebsd server and use it as a router (if they let
> me) so that way I can control from there and do filtering. Issue is that
> maybe they do not let me but connect the server as an extra machine
> without replacing the main router so in that case I would have 2 DHCP
> servers doing the same service in the same lan and could be conflicts I
> guess.

This method is very common. You have 2 methods here. Both methods will
give you a central location to control both windows and Freebsd PC's on
the local LAN as to what ip address they can access.

Replace the main router with your Freebsd gateway box or just cable your
main router to the Freebsd gateway box running ipfilter or pf firewall
and dhcp. Then from second nic on the Freebsd gateway box to your
existing switch. Configure dhcp on the Freebsd gateway box to issue ip
address in the 10.0.10.0 range and specify the ip addresses of the dns
servers of the ISP. Enable NAT (network address translation) function of
the firewall.

If you replace the main router with the Freebsd gateway box, then the
Freebsd gateway box will get the public routable ip address assigned by
the ISP. If you place the Freebsd gateway box down stream of the main
router then it will get 192.168.x.x  ip address from the main router.
This is ok and will work fine.

You did not say, but some ISP modems have built in routers, if that is
what you are calling the main router then you can not replace it. Your
Freebsd gateway box has to be down stream in this case.

Here is a good resource for you to review "Freebsd Install Guide" at
  www.a1poweruser.com
On each Freebsd pc blocking selected ip addresses can be done using the
"routed blackhole" command.

Example:

To Add use      route add -host attacker_ip 127.0.0.1 -blackhole

To Delete use   route delete -host attacker_ip 127.0.0.1 -blackhole

To List use     netstat -nr|grep 127

This is executed in the IP stack and is faster than in the firewall when
you have over 20 of those special "deny this IP address" rules in the
firewall. In your case the "attacker_ip" is found by using the "dig"
command, "dig www.facebook.com" returns the ip address of 69.171.228.40

You can create a script (route_blackholed_ip.sh) containing route
commands for all the IP address that you want to block and save it to
/usr/local/etc/rc.d/ so it will be run at boot time from the USB thumb
drives your students use to boot Freebsd from.



_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On 10/04/2012 05:27, Jorge Biquez wrote:
They won't let you do things not because it is their "kingdom", but
because they certainly have a contract with prices for services and
penalties for lack of services. As IT professional they want to make
their lives simpler and have whoever benefits from a service pay for it.
This is a logical and sane attitude to have. Now if you want to meddle
with the stuff they are legally responsible for you need to prove them a
few things :
1 - Nothing you do will impact them in terms of workload. You might be
working for free (and it is very noble of you), but they are trying to
earn their lives here. So more work for the same price is not an option.
2 - You can be trusted and you have good skills. This start by
explaining fully what you want to achieve, how you will do it and (most
important point) how fast anything you do can be undone. No matter what
solution you choose it is likely to have side effects, especially since
you have no knowledge of what is installed and how it is set-up, except
what you can guess probing here and there without administrative rights.
No matter how simple and innocuous you solution may seem, it might break
the first rule, for example a FreeBSD Gateway might prevent patches from
a WSUS server to be applied, it might prevent remote control, it might
prevent alert mails to be sent or received and so on.
3 - You have to right the full documentation of what you are going to
do, give all the administrative password of your solution to the
"experts", complete with a good deal of explanation on how to use,
remove or change the system. It is also important that they know they
can remove your own rights on your own solution if need be. The reason
are you may not always be available and you may not always be lucid or
in good terms with the school. If a problem arise they have to be able
to take full control back, on way or another.
4 - You will find a way to pay them for your solution. Even if you do
everything yourself, and have enough skill to do it right without them
helping at any point (which is extremely unlikely), the time needed for
the "experts" to review, test, validate and potentially maintain your
solution will have to be paid.   The closer the solution is to what they
already know and have a staff trained for, the lighter the price. But do
not expect them accept a solution that might bring them troubles but
won't bring them money.

The main problem you might have is that you do not seem to have any
respect for the guys in charge. True I do not know your history with
them, and they may not deserve respect, but as an IT manager for quite a
lot of companies both large and small I can tell you one thing : We
positively loathe the smart guy with a (most of the time very small) IT
background that springs out of nowhere to bring simple solutions to
complex problems. 99.9 % of the time they end up giving up with the job
half done or they disappear just as suddenly as they appeared taking all
their knowledge with them. From the director 13 years old nephew who can
have the thing running in minutes (or so the director seems to think) to
the junior analyst that will replace a behemoth of ETL processed files
and Excel sheets with a single Access app because he has read the first
three chapter of "VBA for Brain Damaged" last week,  we see them coming
from miles away and needless to say that there are no warms welcome when
they finally arrive.
The only way to get anywhere is to be humble and then impress the
"experts" with your professional and exhaustive approach of the
problem.  Anything else will lead to the "experts" telling you that to
achieve the result you want you will need to purchase the solution they
know (probably a Checkpoint/Baracuda/Blue Coat/what else appliance) and
then pay monthly for maintenance.

There are literally thousands of solutions to your problem, ranging from
simply installing K9 on every computer to a complex set up with QOS,
LDAP/KERBEROS auth and rights delegation going to a redundant active
proxy with cache and filtering.

Given the small size of the lan, an old and small computer with two
ethernet cards and PFSense could probably do the trick, but you will
need insight from the guys in charge to be sure.
Dans Guardian can offer content filtering, but will require more RAM and
CPU power.
Cheap commercial appliances will do everything you need and more for
around 2000$, with a lot less hassle to set up than a custom solution
and a nice technical support from the vendor. Unfortunately a yearly fee
is to be expected for it to work at full potential.
Cheap routers from a wide brand of vendor will do everything you need or
close for around 600$, but the set up will require a lot more knowledge.
Ultra Cheap WRT54GL can do pretty anything you need for around 60$, but
it can be tedious to set up. Other router compatible with OpenWRT can
work too (WZR-HP-AG300H being a good candidate, though I never tested it
myself)



_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"