Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Internet filtering (http://www.linux-archive.org/debian-user/404500-internet-filtering.html)

vr 07-26-2010 11:38 PM

Internet filtering
 
What is a good utility to block outbound traffic on the home network?
Ideally it will not need to be set in a browsers proxy setting to be
effective.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5322171bdcbcc94e32c46a97e560361e@192.168.0.66">htt p://lists.debian.org/5322171bdcbcc94e32c46a97e560361e@192.168.0.66

Ron Johnson 07-27-2010 12:21 AM

Internet filtering
 
On 07/26/2010 06:38 PM, vr wrote:

What is a good utility to block outbound traffic on the home network?
Ideally it will not need to be set in a browsers proxy setting to be
effective.



Your firewalling router?

Plz be more specific in your needs.

--
Seek truth from facts.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C4E269F.2090408@cox.net">http://lists.debian.org/4C4E269F.2090408@cox.net

"H.S." 07-27-2010 12:26 AM

Internet filtering
 
On 26/07/10 07:38 PM, vr wrote:

What is a good utility to block outbound traffic on the home network?
Ideally it will not need to be set in a browsers proxy setting to be
effective.




You need to describe your network and the desired control to get some
relevant answers. Without knowing these details, the generic answer is
to use a firewall on your internet gateway.



--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: i2l93l$84v$1@dough.gmane.org">http://lists.debian.org/i2l93l$84v$1@dough.gmane.org

vr 07-27-2010 12:46 AM

Internet filtering
 
On Mon, 26 Jul 2010 20:26:29 -0400, "H.S." wrote:
> On 26/07/10 07:38 PM, vr wrote:
>> What is a good utility to block outbound traffic on the home network?
>> Ideally it will not need to be set in a browsers proxy setting to be
>> effective.
>>
>>
>
> You need to describe your network and the desired control to get some
> relevant answers. Without knowing these details, the generic answer is
> to use a firewall on your internet gateway.
>
>

The service provider (ATT) provided a four port 2-Wire router that is both
wireless and wired.
It has very few options for firewalling and is required to connect to
their service.

I have uplinked an two HP 1800-8G switches to the ISP's device and plugged
in my devices there. The LAN has a macintosh client, a couple Windows 7
clients and a few Debian clients and a network printer.

I'd like the flexibility to selectively stop outbound protocols up to and
including Instant Messenger file transfers but do so without having to
configure something specific on the client devices. Other than a new router
IP perhaps?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: b3bffadc951ba8421f8782f1b25657fc@192.168.0.66">htt p://lists.debian.org/b3bffadc951ba8421f8782f1b25657fc@192.168.0.66

"H.S." 07-27-2010 01:09 AM

Internet filtering
 
On 26/07/10 08:46 PM, vr wrote:


The service provider (ATT) provided a four port 2-Wire router that is both
wireless and wired.


I am not familiar with ATT. Is your service ADSL or cable?


It has very few options for firewalling and is required to connect to
their service.


I think I have used a 2-wire router in the past (it broke down and had
to replace it, don't have it anymore) and IIRC it had a sufficient
firewall control. Yours may be different of course.




I have uplinked an two HP 1800-8G switches to the ISP's device and plugged
in my devices there. The LAN has a macintosh client, a couple Windows 7
clients and a few Debian clients and a network printer.

I'd like the flexibility to selectively stop outbound protocols up to and
including Instant Messenger file transfers but do so without having to
configure something specific on the client devices. Other than a new router
IP perhaps?


If your router does not have the features you desire, than you probably
need to replace it. It may be replaced with a Debian machine working as
a router. This will probably give you the maximum flexibility. I use
this method and am quite satisfied with it. The machine needs to have
two LAN interface to work as a router, one for WAN (internet) and the
other for LAN. The other option is to buy a new router that has the
desired features. I would recommend a Linksys or another router that is
supported by DDWRT, OpenWRT or Tomato open source firmwares. Eventually
it all depends on how much you make your current router do this for you.


Thanks for your LAN details.

Others more experienced can surely give you better advice than I.


Regards.
--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: i2lbkp$duk$1@dough.gmane.org">http://lists.debian.org/i2lbkp$duk$1@dough.gmane.org

vr 07-27-2010 01:39 AM

Internet filtering
 
On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote:
>
> I am not familiar with ATT. Is your service ADSL or cable?
>

They call it VDSL.

>
> If your router does not have the features you desire, than you probably
> need to replace it. It may be replaced with a Debian machine working as
> a router. This will probably give you the maximum flexibility. I use
> this method and am quite satisfied with it. The machine needs to have
> two LAN interface to work as a router, one for WAN (internet) and the
> other for LAN. The other option is to buy a new router that has the
> desired features. I would recommend a Linksys or another router that is
> supported by DDWRT, OpenWRT or Tomato open source firmwares. Eventually
> it all depends on how much you make your current router do this for you.
>

I'm interested in more info about the two network card configuration like
you're running. I have spare parts laying around which could perform that
duty. Can you tell me what software package you are using to control the
traffic across your network cards? Is it GUI based? Can you define which
protocols you want to allow?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: a53b5b827386b27dc044813d33d573ce@192.168.0.66">htt p://lists.debian.org/a53b5b827386b27dc044813d33d573ce@192.168.0.66

"H.S." 07-27-2010 03:12 AM

Internet filtering
 
On 26/07/10 09:39 PM, vr wrote:

On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote:


I am not familiar with ATT. Is your service ADSL or cable?



They call it VDSL.


Sorry, never used it. Do they give a modem for the connection?



I'm interested in more info about the two network card configuration like
you're running. I have spare parts laying around which could perform that
duty. Can you tell me what software package you are using to control the
traffic across your network cards? Is it GUI based? Can you define which
protocols you want to allow?


Okay, here goes. But I would still say that for most cases, a router
with an open source firmware might be more than sufficient for most
purposes. The other advantage of such a router, as compared to a
computer working as a router, is its low power consumption since it has
to remain powered on for the traffic to flow. Besides, such routers are
quite robust once configured and quite immune to defects from power
failures and, moreover, there are no hard disks to worry about crashing.


My setup is the following:

;-------.
tel line-->MODEM--->eth0 eth1---->SWITCH
|_______.wlan0--> <WLAN>

Router m/c


Here MODEM is my ADSL modem and "Router m/c" is my Debian box running as
a router. It has three interfaces, eth0 connects to the modem via an
ethernet cable, eth1 to a switch via a cable and wlan0 provides my
wireless LAN access point (using hostapd with my Dlink card).


I have configured my eth0 as 192.168.0.0/24 network device, eth1 as
192.168.1.0/24 network device and wlan0 as 192.168.5.0/24. They can be
on any three different private subnets.


The software I use for the machine to act as a router is iptables with
ip_forwarding enabled (this makes the machine as a gateway router). And
the various rules (for filtering or port forwarding or blocking) are
also done using iptables.


There are many applications that can be used to create the desired
iptables rules. I use my own bash script. I am thinking of playing with
a GUI option when I get some time. I hear Firestarter is a good choice.
There is one called fwbuilder as well. A command line firewall is
shorewall. Most of these tools actually make it easier to generate the
iptables rules that one would otherwise need to create by hand. If you
do a google search, you can find many choices for this and detailed
how-to's.


Besides this, I also use dnsmasq as a dhcp server on the router machine
and this allows LAN clients to connect as dhcp client. Very useful
application. Other than this, I also have an OpenVPN server setup so
that my home users can connect to it from outside to have secure and
encrypted traffic. I must mention here that all this can usually also be
done using the usual consumer router devices and an open source firmware
(and sometimes even with their stock firmwares), but with much less pain
than setting up your own internet gateway with a computer with iptables
filtering.


If you have any further questions, feel free to ask.
Regards.



--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: i2lirh$tmg$1@dough.gmane.org">http://lists.debian.org/i2lirh$tmg$1@dough.gmane.org

Andrei Popescu 07-27-2010 07:19 AM

Internet filtering
 
On Lu, 26 iul 10, 23:12:48, H.S. wrote:
>
> I have configured my eth0 as 192.168.0.0/24 network device, eth1 as
> 192.168.1.0/24 network device and wlan0 as 192.168.5.0/24. They can
> be on any three different private subnets.

Or use bridge-utils so you have only one interface on the private side.
It makes configuration easier for all services, unless you want to
separate the wireless and wired lan on purpose (security?).

> The software I use for the machine to act as a router is iptables
> with ip_forwarding enabled (this makes the machine as a gateway
> router). And the various rules (for filtering or port forwarding or
> blocking) are also done using iptables.
>
> There are many applications that can be used to create the desired
> iptables rules. I use my own bash script. I am thinking of playing
> with a GUI option when I get some time. I hear Firestarter is a good
> choice. There is one called fwbuilder as well. A command line
> firewall is shorewall. Most of these tools actually make it easier
> to generate the iptables rules that one would otherwise need to
> create by hand. If you do a google search, you can find many choices
> for this and detailed how-to's.

+ 1 for shorewall, especially if you don't want/need a GUI.

> Besides this, I also use dnsmasq as a dhcp server on the router
> machine and this allows LAN clients to connect as dhcp client. Very

+ 1 for dnsmasq. Very easy to configure and provides DNS caching and
DHCP in one.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

Rob Owens 07-27-2010 09:37 PM

Internet filtering
 
On Mon, Jul 26, 2010 at 09:39:08PM -0400, vr wrote:
> On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote:
> >
> > I am not familiar with ATT. Is your service ADSL or cable?
> >
>
> They call it VDSL.
>
> >
> > If your router does not have the features you desire, than you probably
> > need to replace it. It may be replaced with a Debian machine working as
> > a router. This will probably give you the maximum flexibility. I use
> > this method and am quite satisfied with it. The machine needs to have
> > two LAN interface to work as a router, one for WAN (internet) and the
> > other for LAN. The other option is to buy a new router that has the
> > desired features. I would recommend a Linksys or another router that is
> > supported by DDWRT, OpenWRT or Tomato open source firmwares. Eventually
> > it all depends on how much you make your current router do this for you.
> >
>
> I'm interested in more info about the two network card configuration like
> you're running. I have spare parts laying around which could perform that
> duty. Can you tell me what software package you are using to control the
> traffic across your network cards? Is it GUI based? Can you define which
> protocols you want to allow?
>
I have a Debian-based firewall at home. I used fwbuilder to create all
the iptables rules. I like it a lot. It's very flexible.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100727213726.GB14074@aurora.owens.net">http://lists.debian.org/20100727213726.GB14074@aurora.owens.net

Michal 07-28-2010 08:25 AM

Internet filtering
 
On 27/07/10 00:38, vr wrote:

What is a good utility to block outbound traffic on the home network?
Ideally it will not need to be set in a browsers proxy setting to be
effective.



Cheap old PC, two nics, stick OS of choice on, create firewall rules,
install squid, setup, use this as your new default gateway, done. I
easily did this with OpenBSD, PF and Squid and it can be done in no
time at all. I never tried it with Debian but you can quite easily do
it with that. You would end up with something similar to;


Modem - > Gateway - > Switch - > Clients


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C4FE963.3000803@sharescope.co.uk">http://lists.debian.org/4C4FE963.3000803@sharescope.co.uk


All times are GMT. The time now is 04:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.