On Thursday 27 October 2005 08:53, James wrote: > Michael W. Holdeman <lists <at> ptfd.org> writes: > > I have a home and office LAN using comcast broadband cable for access. My > > office and laptop is Linus, the kids home computers for homeschooling are > > running xp-home. I want to switch the home machines to linux desktops and > > use vmware for running their homeschooling software. > > Problem is I like the comcast security manager system, It regulates the > > kids access and is very easy (gui) to manage. It is however being > > replaced by mcafee's system. It is not nearly as good. > > Does anyone know of a system I can use in Linux on say a firewall, > > or gateway machine (gw is now a linksys wireless router) that is easy > to work with and maintain that will regulate specific users internet > access time etc... > > > Well, there are lot's of ways to 'skin the cat' here. > > Here's a good overview of some of the tools tools that you could use: > http://www.gentoo.org/doc/en/security/ > security-handbook.xml?part=1&chap=12#doc_chap1 > The section on Squid would apply particularly to you. > > <snip> > In this case, my policy states: > * Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and > sat 8-13), but if employees are here late they should work, not surf > * Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi, > .mpg, .mpeg, etc) > * We do not like banners, so they are filtered and replaced with a > transparent gif (this is where you get creative!). > * All other connections to and from the Internet are denied. > <snip> > > You'll most likely need a good firewall and an Aplication Level Gateway > (ALG) to get roboust control of your networks. > > On the firewall side of things, I have taken the 'painful' but superior > route to learning/testing/reading/test/reading_some_more/testing..... > to use raw ipfilter/netfilter to achieve fine grain control of networks. > > Others will recommend you use a 'canned firewall' technology, such as > shorewall, fwbuilder (etc) along with various packages that create > your ALG. > > Learning raw ipfilter/netfilter is a very time consuming process, but, > well worth the effort, in my experience. With the help of this list, > you can achieve robust control over your networks, but, it > does take time. The good thing about investing the time in a linux > setting, is once you have a network management system in place, it's > very straight forward to maintain, you do not have to spend money > or waste time on vendors, and you learn how to *TEST* what you have > to verify it works properly. Using a vendor, makes you subjectively > vulnerable to the vendor's financial goals and technical limitations. > You'll not likely be able to afford a company that has 1/10th the > security expertise, that this list offers for free. > > Regardless of the path you choose, you have to test, modify and test > your network again, with a variety of tools, to ensure robust content > control and sufficient security. > > I'll assume you want the easy, minimal_pain route to controlling your > networks, so I'll let the others pitch easy solutions, that allow > use of software package such as shorewall + squid etc. > > If you want some more links to read about raw ipfilters, just let me know. > Thanks James, Your response is very helpfull. I was thinking about squid, fwbuilder to get the base up and going. I will read more, as for some reason I was under the impression I could use fwbuilder and then add more using raw ipfilters as I learned more. I have used DansGuardian and squid in teh past for content filtering and was happy with the way that worked, so this would just add to the knowledge and ops I need for that type of implementation.
Thanks again for your help, I am sure I will have more ?'s as I get into it. Today I have to figure out what mssql needs for my kids homeschool app, as it needs a dedicated mssql server, And I was hoping to put the files on my FBSD file server and just access from the win2000/vmware/gentoo desktops..... (and I'm late getting it setup, my wife is getting cranky about the kids not on their work already!!) Mike Michael W. Holdeman ________________________________________ Powered by Gentoo Linux www.gentoo.org | Kernel 2.6.11-ck8 | Win4Lin 5-1-20 netraverse.com | Win4LinPro 6.1.1-03 win4lin.com | ________________________________________| -- gentoo-user@gentoo.org mailing list
