Michael W. Holdeman <lists <at> ptfd.org> writes:
> I have a home and office LAN using comcast broadband cable for access. My > office and laptop is Linus, the kids home computers for homeschooling are > running xp-home. I want to switch the home machines to linux desktops and > use vmware for running their homeschooling software. > Problem is I like the comcast security manager system, It regulates the kids > access and is very easy (gui) to manage. It is however being replaced by > mcafee's system. It is not nearly as good. > Does anyone know of a system I can use in Linux on say a firewall, or gateway machine (gw is now a linksys wireless router) that is easy to work with and maintain that will regulate specific users internet access time etc... Well, there are lot's of ways to 'skin the cat' here. Here's a good overview of some of the tools tools that you could use: http://www.gentoo.org/doc/en/security/ security-handbook.xml?part=1&chap=12#doc_chap1 The section on Squid would apply particularly to you. <snip> In this case, my policy states: * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and sat 8-13), but if employees are here late they should work, not surf * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi, .mpg, .mpeg, etc) * We do not like banners, so they are filtered and replaced with a transparent gif (this is where you get creative!). * All other connections to and from the Internet are denied. <snip> You'll most likely need a good firewall and an Aplication Level Gateway (ALG) to get roboust control of your networks. On the firewall side of things, I have taken the 'painful' but superior route to learning/testing/reading/test/reading_some_more/testing..... to use raw ipfilter/netfilter to achieve fine grain control of networks. Others will recommend you use a 'canned firewall' technology, such as shorewall, fwbuilder (etc) along with various packages that create your ALG. Learning raw ipfilter/netfilter is a very time consuming process, but, well worth the effort, in my experience. With the help of this list, you can achieve robust control over your networks, but, it does take time. The good thing about investing the time in a linux setting, is once you have a network management system in place, it's very straight forward to maintain, you do not have to spend money or waste time on vendors, and you learn how to *TEST* what you have to verify it works properly. Using a vendor, makes you subjectively vulnerable to the vendor's financial goals and technical limitations. You'll not likely be able to afford a company that has 1/10th the security expertise, that this list offers for free. Regardless of the path you choose, you have to test, modify and test your network again, with a variety of tools, to ensure robust content control and sufficient security. I'll assume you want the easy, minimal_pain route to controlling your networks, so I'll let the others pitch easy solutions, that allow use of software package such as shorewall + squid etc. If you want some more links to read about raw ipfilters, just let me know. HTH, James -- gentoo-user@gentoo.org mailing list
