What's up, prox
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Fri May 25 21:24:16 UTC 2007
On Thu, May 24, 2007 at 10:42:27PM -0400, Evan Leibovitch wrote:
> Management at a client is noticing a few employees doing a few things with
> their time that they ought not to be doing.
>
> This let to a suggestion of a system that will
>
> - force web browsing through a Squid/dansguardian setup
> - either block MSN or force it through 'msngrep', based on internal IP address
> - probably toss in some intrusion detection for good measure
>
> While the client already has a Symantec firewall appliance in place, I
> thought that a Linux-based firewall system would be the best way to
> implement this in a manner that could not be circumvented by users.
> Just do the rules to force selected traffic through the appropriate
> proxies.
Well you can certainly forward all outgoing http connections to a squid
proxy configured to work as a transparent proxy. You can then add sites
that should be blocked the proxy.
No idea what MSN uses or how one blocks that.
I am a firm believer in "IDS doesn't and can't work". Good way to
generate tons of false positive noise to filter through though.
I have also given up on Symantec. Their software is just too buggy,
uses too many resources, and just isn't worth it anymore. It isn't like
the good old days when norton utilities and such just worked and didn't
waste lots of resources to do it.
> This leads to a few choices:
>
> 1) Ubuntu or Smoothwall?
>
> Is it better to get and hack a distribution designed solely to be a
> firewall, or to set up a general purpose distro to be one? The reviews of
> Smoothwall look interesting, however it seems that the free version misses
> some of the features I want ("SmoothGuardian" is part of the commercial
> non-free enhanced product). I look at
> http://www.smoothwall.net/products/comparison.gpl.php and fear that the
> GPL version is just a bit too crippled -- and that making changes that
> deviate from the core not only makes support difficult, but also require
> command-line tuning that's the opposite of the system's whole GUI-friendly
> approach. Dan's Guardian is just another package in the Ubuntu repository
> universe.
Well of those I would pick Ubuntu, partly because I am a Debian fan, and
because that means there are so many packages available in case you
would ever want the box to have other duties.
> 2) If Ubuntu: shorewall, firestarter or something else?
>
> If I choose to use a general purpose distro for my platform, there are a
> number of possible front ends to iptables. Does anyone here have
> experience with (or better, a logic-based preference) the shorewall,
> firestarter or other iptables frontends?
I have been using shorewall as my firewall for quite a while. I like
how it works.
> 3) Is there a better approach to doing this?
Tell people not to do something and just trust them not to? You might
upset people if you implement something that obviously say you don't
trust them to follow the rules. Much less work too.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list