What's up, prox

[Evan Leibovitch]

Hi folks,

Management at a client is noticing a few employees doing a few things with
their time that they ought not to be doing.

This let to a suggestion of a system that will

- force web browsing through a Squid/dansguardian setup
- either block MSN or force it through 'msngrep', based on internal IP address
- probably toss in some intrusion detection for good measure

While the client already has a Symantec firewall appliance in place, I
thought that a Linux-based firewall system would be the best way to
implement this in a manner that could not be circumvented by users.
Just do the rules to force selected traffic through the appropriate
proxies.

This leads to a few choices:

1) Ubuntu or Smoothwall?

Is it better to get and hack a distribution designed solely to be a
firewall, or to set up a general purpose distro to be one? The reviews of
Smoothwall look interesting, however it seems that the free version misses
some of the features I want ("SmoothGuardian"  is part of the commercial
non-free enhanced product). I look at
http://www.smoothwall.net/products/comparison.gpl.php and fear that the
GPL version is just a bit too crippled -- and that making changes that
deviate from the core not only makes support difficult, but also require
command-line tuning that's the opposite of the system's whole GUI-friendly
approach. Dan's Guardian is just another package in the Ubuntu repository
universe.

2) If Ubuntu: shorewall, firestarter or something else?

If I choose to use a general purpose distro for my platform, there are a
number of possible front ends to iptables. Does anyone here have
experience with (or better, a logic-based preference) the shorewall,
firestarter or other iptables frontends?

3) Is there a better approach to doing this?

Thanks for any suggestions.

- Evan


--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists