greetings
has anyone here setup a CentOS box to use as a home or business gateway for children through young adults or otherwise?
i realize this is a generalized question and that iptables and many other things exist that could be implemented.
im looking for a way to give the youngster the benefit of the doubt and allow them to "obey God/parents" first before they have to be totally restricted after having been disobedient.
specifically we could do it two ways.
one is, that which is not expressly permitted is denied... and i would prefer not to have to do it that way. it is too easy and may not allow for the child to choose to be obedient to God/parents.
the other seems like it might be better, that which is not expressly denied is permitted... YET
i want to make sure of only a few things if possible...
how can i keep the youngster from using an IM program and how to make sure they are not transferring files larger that say 100k, ie no large music files etc? only small pics or homework things etc.
can one hit a moving IM program protocol port target that recognizes the packets and shut it down?
also, what packages out there are people using that have time based restrictions, like until 11pm or other configs?
thanks
- rh
-- Robert Hanson - Abba Communications Computer & Internet Services www.abbacomm.net
On 10/11/05, Robert roberth@abbacomm.net wrote:
greetings
has anyone here setup a CentOS box to use as a home or business gateway for children through young adults or otherwise?
i realize this is a generalized question and that iptables and many other things exist that could be implemented.
im looking for a way to give the youngster the benefit of the doubt and allow them to "obey God/parents" first before they have to be totally restricted after having been disobedient.
specifically we could do it two ways.
one is, that which is not expressly permitted is denied... and i would prefer not to have to do it that way. it is too easy and may not allow for the child to choose to be obedient to God/parents.
the other seems like it might be better, that which is not expressly denied is permitted... YET
i want to make sure of only a few things if possible...
how can i keep the youngster from using an IM program and how to make sure they are not transferring files larger that say 100k, ie no large music files etc? only small pics or homework things etc.
can one hit a moving IM program protocol port target that recognizes the packets and shut it down?
also, what packages out there are people using that have time based restrictions, like until 11pm or other configs?
Basic Setup Assign IPs or a subnet to the young ones. Setup a web proxy (Squid?). Setup perimeter to block young IPs and limit protocols for proxy. Cron jobs to block proxy and unblock proxy at the selected times.
Consider Dans Guardian (http://dansguardian.org/)
-- Leonard Isham, CISSP Ostendo non ostento.
--- Robert roberth@abbacomm.net wrote:
greetings
has anyone here setup a CentOS box to use as a home or business gateway for children through young adults or otherwise?
i realize this is a generalized question and that iptables and many other things exist that could be implemented.
im looking for a way to give the youngster the benefit of the doubt and allow them to "obey God/parents" first before they have to be totally restricted after having been disobedient.
specifically we could do it two ways.
one is, that which is not expressly permitted is denied... and i would prefer not to have to do it that way. it is too easy and may not allow for the child to choose to be obedient to God/parents.
the other seems like it might be better, that which is not expressly denied is permitted... YET
i want to make sure of only a few things if possible...
how can i keep the youngster from using an IM program and how to make sure they are not transferring files larger that say 100k, ie no large music files etc? only small pics or homework things etc.
can one hit a moving IM program protocol port target that recognizes the packets and shut it down?
also, what packages out there are people using that have time based restrictions, like until 11pm or other configs?
thanks
- rh
-- Robert Hanson - Abba Communications Computer & Internet Services www.abbacomm.net
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Rob,
I thought IM uses a specific port and you would be able to block that port. I know certain ones like mirc uses port 6667 if i am remembering correctly. Anyone can correct me if i am totally wrong.
Steven
"On the side of the software box, in the 'System Requirements' section, it said 'Requires Windows or better'. So I installed Linux."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Oct 11, 2005 at 11:07:16AM -0700, Steven Vishoot wrote:
Rob,
I thought IM uses a specific port and you would be able to block that port. I know certain ones like mirc uses port 6667 if i am remembering correctly. Anyone can correct me if i am totally wrong.
Steven, you are "not exactly correct". Yes, 6667 is usually the port IRC Servers use, but not always. I have seem plenty of servers using other ports, including 6668, 6669, 6670, 31337 and even 194.
That is the same for IM softwares. Not to mention the fact that many simply use http-based protocols, with port 80.
Blocking IMs is not as simple as it may seem.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
--- Rodrigo Barbosa rodrigob@suespammers.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Oct 11, 2005 at 11:07:16AM -0700, Steven Vishoot wrote:
Rob,
I thought IM uses a specific port and you would be able to block that port. I know certain ones like
mirc
uses port 6667 if i am remembering correctly.
Anyone
can correct me if i am totally wrong.
Steven, you are "not exactly correct". Yes, 6667 is usually the port IRC Servers use, but not always. I have seem plenty of servers using other ports, including 6668, 6669, 6670, 31337 and even 194.
That is the same for IM softwares. Not to mention the fact that many simply use http-based protocols, with port 80.
Blocking IMs is not as simple as it may seem.
[]s
Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDTADepdyWzQ5b5ckRArTmAKC/krGB2rjLtITy2fmQ0+VxkJwnIACfYZgq
2JX7T1PUeWNtIUREYw9weTI= =nycH -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Rodrigo,
thank you for correcting me, i knew i was kind of in the neighborhood and knew it was not that simply since a lot im programs use different ports. So it might a good idea to know what IM program they are using would you think?
Steven
"On the side of the software box, in the 'System Requirements' section, it said 'Requires Windows or better'. So I installed Linux."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Oct 11, 2005 at 11:18:56AM -0700, Steven Vishoot wrote:
Rob,
I thought IM uses a specific port and you would be able to block that port. I know certain ones like
mirc
uses port 6667 if i am remembering correctly.
Anyone
can correct me if i am totally wrong.
Steven, you are "not exactly correct". Yes, 6667 is usually the port IRC Servers use, but not always. I have seem plenty of servers using other ports, including 6668, 6669, 6670, 31337 and even 194.
That is the same for IM softwares. Not to mention the fact that many simply use http-based protocols, with port 80.
Blocking IMs is not as simple as it may seem.
Rodrigo,
thank you for correcting me, i knew i was kind of in the neighborhood and knew it was not that simply since a lot im programs use different ports. So it might a good idea to know what IM program they are using would you think?
Actually, the best way to go is to use one of those netfilter modules that look at the trafic itself to identify what it is about, instead of simply trusting the TCP/UDP port numbers.
There are at least 2 of those that people have been using, the named of which have escaped my mind right now. Blame it on this damn heat wave we are having down here in Brazil these days.
I'm sure someone else on the list can point you to those.
That way, you can block the MSN Protocol, no matter which server or port they are connecting to. Same goes for GAIM, ICQ etc etc.
Of course it is not 100% garanteed. Nothing is. But if you combine that with port and ip blocking, you can get very close to that.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Tuesday 11 October 2005 01:18 pm, Steven Vishoot wrote:
thank you for correcting me, i knew i was kind of in the neighborhood and knew it was not that simply since a lot im programs use different ports. So it might a good idea to know what IM program they are using would you think?
My $.02:
#1 Setup a powerful iptables configuration tool like shorewall (my preferred choice) or fwbuilder and use it to limit all *outbound* traffic to a few ports (80 , 443).
#2. Let them go about their business.
#3. Go through the syslog messages (/var/log/messages). You will see all the ports they were trying to IM and fileshare out on, and that were blocked.
#4. Think about what you want to allow. If you *only* want to allow web browsing, set up squid, and drop everything outbound that isn't destined for port 3128 on your squid server.
#5. Squid will generate logs of what websites were visited. Check the logs occasionally.
Email me/list if you need help setting up shorewall/squid. You may want to put the restricted PC in a modified DMZ - shorewall has a special configuration to do exactly what you are asking.
On Tue, 2005-10-11 at 13:04, Robert wrote:
greetings
has anyone here setup a CentOS box to use as a home or business gateway for children through young adults or otherwise?
can one hit a moving IM program protocol port target that recognizes the packets and shut it down?
also, what packages out there are people using that have time based restrictions, like until 11pm or other configs?
You need to look at using a proxy server setup. Basic setup you would have a firewall which would only accept connections from the proxy server. The proxy server can then be configured to allow only certain protocols and/or access to specific sites. Clients would be configured to use the proxy. Without the proxy being setup that client would only have access to the local LAN. Check out squid to use for the proxy. You can use just about any firewall as long as it allows you to restrict access to all but the proxy server.
You can use cron to enable/disable access at specific times.
On Tue, 2005-10-11 at 12:04, Robert wrote:
has anyone here setup a CentOS box to use as a home or business gateway for children through young adults or otherwise?
You might want to ask this on the k12osn mailing list (which covers the k12ltsp distribution made up of fedora or centos plus some other packages for booting thin clients and educational programs). I think they use a combination of squidguard and dansguardian with updates including someone's idea of appropriate filters.
Anyway, you'll find people working on this issue there.
-
Leonard Isham -
Les Mikesell -
Robert -
Rodrigo Barbosa -
Ryan -
Scot L. Harris -
Steven Vishoot