I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/ Thanks? jlc
Joseph L. Casale wrote:
I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/ Thanks? jlc
Squid with some blacklists (i usually use ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz) and ntlm authentication .. that works fine
On Fri, Dec 5, 2008 at 1:54 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/
Suggest you consider using OpenDns.com for DNS http://www.opendns.com/
Joseph L. Casale wrote:
I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/ Thanks? jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Opendns, as Lanny suggested, works as they advertise. Its not very granular though.
I've also been using Untangle (untangle.com) and just love it. Its FLOSS with commercial add-ons; but I think the straight FLOSS capabilities are great without the fee-based extras.
Its a linux-based router distro. Capable of full NAT routing or as a transparent bridge, you just build up a beige box with 2 NICs and put this baby in between the PCs and the internet.
Its got a great UI, and is really flexible.
Depending on what you were hoping for/envisioning it could be a great fit.
Andy
On Fri, 2008-12-05 at 14:53 -0500, Andrew Hull wrote:
Joseph L. Casale wrote:
I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/ Thanks? jlc
<snip sig stuff>
Opendns, as Lanny suggested, works as they advertise. Its not very granular though.
I've also been using Untangle (untangle.com) and just love it. Its FLOSS with commercial add-ons; but I think the straight FLOSS capabilities are great without the fee-based extras.
Its a linux-based router distro. Capable of full NAT routing or as a transparent bridge, you just build up a beige box with 2 NICs and put this baby in between the PCs and the internet.
Its got a great UI, and is really flexible.
Depending on what you were hoping for/envisioning it could be a great fit.
I'm not sure if the latest has all the features OP is seeking, but I've been using IPCop for ages with NP (which means I've not really visited the site and browsed as I should). It has a decent Web interface for administration, ability to block ports, custom Iptables rules inclusion support, squid proxy capability, etc. Has Green/Red/Blue/Orange zone support. I've run it on my old Pentium 200MHz with 96MB and got 900MB/sec from good sites through my Road Runner turbo link (w/10/100 Mb nics). With 2xGB nics on an AMD K7 @ 360MHz, 1.2MB/sec.
Easy install, administration and upgrade path. Biggest weakness is that docs seem to lag severly sometimes.
And it's FREE open source based on LFS (2.4 kernels?). Find it here.
Andy
<snip sig stuff>
HTH
William L. Maltby wrote:
On Fri, 2008-12-05 at 14:53 -0500, Andrew Hull wrote:
Joseph L. Casale wrote:
I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/ Thanks? jlc
<SNIP>
I'm not sure if the latest has all the features OP is seeking, but I've been using IPCop for ages with NP (which means I've not really visited the site and browsed as I should). It has a decent Web interface for administration, ability to block ports, custom Iptables rules inclusion support, squid proxy capability, etc. Has Green/Red/Blue/Orange zone support. I've run it on my old Pentium 200MHz with 96MB and got 900MB/sec from good sites through my Road Runner turbo link (w/10/100 Mb nics). With 2xGB nics on an AMD K7 @ 360MHz, 1.2MB/sec.
Easy install, administration and upgrade path. Biggest weakness is that docs seem to lag severly sometimes.
And it's FREE open source based on LFS (2.4 kernels?). Find it here.
http://ipcop.org/Andy
<snip sig stuff>
HTH
Hi Bill, I've never used IPCop (opting for m0n0wall instead), but I was under the impression that IPCop lacked any content filtering features requested by the OP.
A quick perusing of the website leads me to believe its trying to be a kick-ass beige-box firewall/router (and most-likely succeeding), but it seems like a content filter it is not. Did I miss some glaring features?
Thanks for the conservation, Andy
On Fri, 2008-12-05 at 16:35 -0500, Andrew Hull wrote:
William L. Maltby wrote:
<snip>
I'm not sure if the latest has all the features OP is seeking, but I've been using IPCop for ages with NP <snip>
Hi Bill, I've never used IPCop (opting for m0n0wall instead), but I was under the impression that IPCop lacked any content filtering features requested by the OP.
A quick perusing of the website leads me to believe its trying to be a kick-ass beige-box firewall/router (and most-likely succeeding), but it seems like a content filter it is not. Did I miss some glaring features?
No. By the time I read the post I had replied to, I couldn't recall all the features the OP wanted. And, as I mentioned, I hadn't been to the site for a _long_ time. So I wasn't sure what features it had.
On top of all that, I'm relatively inexperienced at that stuff and am not sure what all is meant by a content filter. From my ignorant POV, being able to stop connections from/to certain sites _seemed_ seemed to fall within that capability. Of course my whole "unnerstaning" of that is based on casual hearing of things like "Parental Controls", blocking access to/from sites, etc.
Thanks for the conservation, Andy
<snip sig stuff>
My humble apologies if what I posted was just noise.
On Fri, Dec 5, 2008 at 2:02 PM, William L. Maltby CentOS4Bill@triad.rr.com wrote:
On top of all that, I'm relatively inexperienced at that stuff and am not sure what all is meant by a content filter. From my ignorant POV, being able to stop connections from/to certain sites _seemed_ seemed to fall within that capability. Of course my whole "unnerstaning" of that is based on casual hearing of things like "Parental Controls", blocking access to/from sites, etc.
An old-timer like you and you don't know what content filtering is? Oh, where have you been, Billy-boy, Billy-boy?
As easily as I can depict it, it's where offensive (to the admin/enterprise/censor) subject matter, such as porn or foul language, gets analyzed by the filter and access allowed or denied based on that, not necessarily the IP address or URL. A "good" CBF will let you go to playboy.com, but you wouldn't be able to see any of the pictures within.
For example, the Clinton White House page was caught by Net Nanny (and possibly others) because it mentioned that Bill and Hillary were a couple (as in married) - because, "couple" as a verb has sexual connotations and the filter couldn't tell the difference.
Comprenez-vous, monsieur?
My humble apologies if what I posted was just noise.
Isn't it always? <RBFG>
mhr
(Oh, yeah, end of leg-pulling here, for sure. :-)
On Fri, 2008-12-05 at 15:47 -0800, MHR wrote:
On Fri, Dec 5, 2008 at 2:02 PM, William L. Maltby CentOS4Bill@triad.rr.com wrote:
On top of all that, I'm relatively inexperienced at that stuff and am not sure what all is meant by a content filter. From my ignorant POV, being able to stop connections from/to certain sites _seemed_ seemed to fall within that capability. Of course my whole "unnerstaning" of that is based on casual hearing of things like "Parental Controls", blocking access to/from sites, etc.
An old-timer like you and you don't know what content filtering is? Oh, where have you been, Billy-boy, Billy-boy?
I've been to see my ... OOPS!
In reality, I was/am a "backroom" guy that got out of heavy involvement in programming stuff before the WWW became "all the rage". Needless to say, never got into all the "fancy doo-dads". Further, absolutely no interest at all in UI stuff - it's was always a pain during design phase because of the endless nit-picking over placement, size, colors, fonts, ... "Give me a break" was the phrase with which I would usually leave the meeting. It never caused much stir because of the way I was perceived.
As easily as I can depict it, it's where offensive (to the admin/enterprise/censor) subject matter, such as porn or foul language, gets analyzed by the filter and access allowed or denied based on that, not necessarily the IP address or URL. A "good" CBF will let you go to playboy.com, but you wouldn't be able to see any of the pictures within.
For example, the Clinton White House page was caught by Net Nanny (and possibly others) because it mentioned that Bill and Hillary were a couple (as in married) - because, "couple" as a verb has sexual connotations and the filter couldn't tell the difference.
Comprenez-vous, monsieur?
Oui.
My humble apologies if what I posted was just noise.
Isn't it always? <RBFG>
You been listening to my wife? ;-)
mhr
(Oh, yeah, end of leg-pulling here, for sure. :-)
Good thing - I got used to both being the same length.
<snip sig stuff>
On Fri, Dec 5, 2008 at 4:35 PM, Andrew Hull list@racc2000.com wrote:
I've never used IPCop (opting for m0n0wall instead), but I was under the impression that IPCop lacked any content filtering features requested by the OP.
A quick perusing of the website leads me to believe its trying to be a kick-ass beige-box firewall/router (and most-likely succeeding), but it seems like a content filter it is not. Did I miss some glaring features?
I use IPCop for our Firewall/Router at home, but there are people on this list (Scott, etc.) who use it in the Enterprise. If you check out the IPCop web site http://www.ipcop.org possibly you will find there is an Add On available that will do what you need to do.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Lanny Marcus Sent: Friday, December 05, 2008 2:16 PM To: CentOS mailing list Subject: Re: [CentOS] --=Getting OTer by the sec=-- Web Filter
On Fri, Dec 5, 2008 at 4:35 PM, Andrew Hull list@racc2000.com wrote:
I've never used IPCop (opting for m0n0wall instead), but I
was under
the impression that IPCop lacked any content filtering features requested by the OP.
A quick perusing of the website leads me to believe its
trying to be a
kick-ass beige-box firewall/router (and most-likely
succeeding), but
it seems like a content filter it is not. Did I miss some
glaring features?
I use IPCop for our Firewall/Router at home, but there are people on this list (Scott, etc.) who use it in the Enterprise. If you check out the IPCop web site http://www.ipcop.org possibly you will find there is an Add On available that will do what you need to do. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I use it (IPCOP) here on our "Free Wireless Access" for our Customers. I had some customers surfing porn in the waiting area. I added the Advanced Proxy and URL Filter Add-ons. http://www.advproxy.net/ http://www.urlfilter.net/
I also use Open DNS behind that, so I get two shots at blocking it.
Easy to set up. I rarely check it. Anytime I get a complaint about it not working, it because the Linksys WAP has froze. Dans Guardian is not free for business use....
I have it running on a IBM Netvista Celeron 1000 with 256m of ram on a 10g drive. Been in place for 3 years. Current uptime is 235 days.
on 12-5-2008 2:15 PM Lanny Marcus spake the following:
On Fri, Dec 5, 2008 at 4:35 PM, Andrew Hull list-lr4zqxr38cVWk0Htik3J/w@public.gmane.org wrote:
I've never used IPCop (opting for m0n0wall instead), but I was under the impression that IPCop lacked any content filtering features requested by the OP.
A quick perusing of the website leads me to believe its trying to be a kick-ass beige-box firewall/router (and most-likely succeeding), but it seems like a content filter it is not. Did I miss some glaring features?
I use IPCop for our Firewall/Router at home, but there are people on this list (Scott, etc.) who use it in the Enterprise. If you check out the IPCop web site http://www.ipcop.org possibly you will find there is an Add On available that will do what you need to do.
There are several good addons for ipcop, and I do use it in the enterprise, but if you want something CentOS based, Clarkconnect is just as good. I think it is CentOS 4 based currently and it has a decent content filter and also scans for viruses. The only reason I don't use it in the enterprise was the poor reliability if its Ipsec tunnels that I also need running on the same boxes.
I've also been using Untangle (untangle.com) and just love it.
This machine is nearly stock with all the nat/firewall done in a simple hand written script, it also serves as an Asterisk PBX so I couldnt use an appliance.
I'm not sure if the latest has all the features OP is seeking, but I've been using IPCop for ages with NP (which means I've not really visited the site and browsed as I should).
I suppose but the firewall is adequate. I figure its a toss between DG or squid/squidproxy and it looks like the later would do what I need at another location with a bigger AD infrastructure much easier so I might be inclined to to give it a whirl. Hopefully rpm's exists for squid somewhere...
Thanks for all the suggestions! jlc
Joseph L. Casale wrote:
I've also been using Untangle (untangle.com) and just love it.
This machine is nearly stock with all the nat/firewall done in a simple hand written script, it also serves as an Asterisk PBX so I couldnt use an appliance.
I'm not sure if the latest has all the features OP is seeking, but I've been using IPCop for ages with NP (which means I've not really visited the site and browsed as I should).
I suppose but the firewall is adequate. I figure its a toss between DG or squid/squidproxy and it looks like the later would do what I need at another location with a bigger AD infrastructure much easier so I might be inclined to to give it a whirl. Hopefully rpm's exists for squid somewhere...
Thanks for all the suggestions! jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
squid is standard in centos so just yum install or you could use privoxy it has a lot of ad blocking features enabled by default and is in also in centos
Dunno if you are already happy with this subject, but I've used DansGuardian for a number of prominent school districts in California with very good success. It's cheap, highly reliable, and a single, reasonably well-equiped P4 can *easily* run as a proxy for hundreds or thousands of students! (CentOS 4, 1 GB RAM, 100 GB HDD, random P4 or Athlon processor)
I've always bought the CHEAPEST computer possible at the local "big-box retailer" and never noticed a load average high enough to even measure consistently. EG: over 0.50...
DG rox!
At first, I had to tweak the filter rules for a few weeks until I had something I was happy with, but recently the defaults have become good enough that I wouldn't bother - just roll it out.
Good luck!
On Friday 05 December 2008 10:54:02 am Joseph L. Casale wrote:
I have a location using a CentOS 5 server that's multihomed running Asterisk and iptables for internal web access.
Recently some sales people got busted surfing some explicit content so the owner wants something in there to block this.
I had heard of Dans Guardian and am reading about what's involved here but just wanted an opinion on what's the best solution for this. NTLM silent auth would be an asset, but the lan is simple and the owner doesn't need granular control if it would be complicated.
What are you guys using with good results?/ Thanks? jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-
Andrew Hull -
Benjamin Smith -
Dennis McLeod -
Fabian Arrotin -
Joseph L. Casale -
Lanny Marcus -
MHR -
Scott Silva -
Tosh -
William L. Maltby