Topic: Blocking web pages

[Luis Noriega]

Hi!
It's me again with some troubles i can't solve.
THE PROBLEM:
I have a home network, where the server-gateway is a SME 7 server. The server is connected to an 8-port switch which feeds some areas of my house (YOUR House) with LAN terminals.
1) on 5 of the terminals (the terminals which are at rooms and my office):
     - I want to block ALL THE WEB CONTENT (except the bank homepage and the school's homework website);
     - block msn, chat's, p2p's, etc...
     - Allow e-mail (thunderbird, outlook, gmail, etc).
2) on the other 3 terminals (the ones that are at public places like tv room and living room):
     - Allow filtered web content;
     - Allow msn, chat, p2p, etc...
     - Allow e-mail
I'm not sure if this is possible. It it' is, please tell me how. I don't know if i have to install any application/software or just by prompt commands.
Thanks for your time!
Luis.

[Stefano]

hi

IMO you can't achieve it with SME.. you should install something like ipcop or pfsense in front of your lan, and change SME's setup to server-only

my 2c
ciao
Stefano

[Luis Noriega]

Stefano!!!
Molto gratzie ancora!
Have you used DansGuardian?
I've been reading at "http://dungog.net/wiki/Dungog-dansguardian" the VISUAL version of DansGuardian... I've understood that you can create "groups" of users and filter according to those groups...
I've read also that Dungog-dansguardian is just like a VISUAL/friendly version of the dansguardian and has the same capabilities.
Have you used any of those?

About IPCop: I've been reading a little bit about it. Sounds good. Could be an answer to my problem to install it and use it as a GATEWAY?

THANKS A LOT
Luis.
I owed you a tequila from the last time you helped me... now I owe you 2.

[David Harper]

Dansguardian would be fine for filtering web traffic, but it doesn't do P2P. This requires a package called ipp2p, which has been dropped because nobody wants to maintain it (it's not very easy to compile).

[Luis Noriega]

Thanks David!
If I can't block everything, at least I can start blocking something.
Luis.

[besterl]

Luis - I do exactly that

Block all webpages except the ones I have in a file called unblock.txt

For P2P - the best solution is to block ports.

Just think this thought carefully - as you will block Virus and Windows update sites.

If you know squid well - you can even exclude certain IP's from these blocks.

Let me know if you want to pursue this.

[David Harper]

For P2P - the best solution is to block ports.

Just remember that most P2P programs (including BitTorrent) can be reconfigured to use alternate ports. That is why IPP2P is so useful -- it actually inspects the packets rather than relying on port numbers.

[Stefano]

I owed you a tequila from the last time you helped me... now I owe you 2.

Hi Luis.. do you want me to get drunk?
thank you so much.. I think I will drink them "virtually", you are too far from me

Ciao
Stefano

[gdbs]

i think the best way to block P2P is to use ipp2p contrib... but... it's not compiled for the last kernel!

i'd like to compile it but i don't know how.

i'd like someone explain me step by step how to do it, so i'll compile it for every kernel version.

i've started to read the documentation to build rpm, but some parts are not really clear and others are marked as "Outdated:   The information on this page maybe no longer relevant. "

as i've understood, i have to:

- install centos developpement 4.7 (sme 7.4)
- then ???
- and ???
- and so ???
- use srpms of ipp2p to compile it for the new kernel...
- done?

anyone can help???

[mercyh]

One more option if you are wanting to do this with a dedicated box. (Not on the SME)

http://www.untangle.com/

[gdbs]

wow.... "use smoothwall", "use untangle", "use ipcop"???

i think i can read on the "about sme" page that sme server is a GATEWAY, firewall etc etc

it's possible to use it to filter the web, using dansguardian easily... and it's possible to filter p2p too, so why telling people to go away our sme server?

the only problem is that ipp2p is not really easy to compile... BUT some people here have compiled it, so it's possible. I can understand they lake time to do it for each new kernel build... but giving a real how to may help other to do it.

So i don't think it's a good idea to say to every ones to see another distro... they don't ask for playing or something like that, they're asking for filtering the web.... i think that's what we can expect from a GATEWAY distro no? and the fact that this feature is asked every time on this forum is the real sign that it may be a basic feature of sme server

[Stefano]

wow.... "use smoothwall", "use untangle", "use ipcop"???
i think i can read on the "about sme" page that sme server is a GATEWAY, firewall etc etc

gdbs: SME is not a firewall.. it may act as firewall, but it can't (and want not) compete with ipcop, untangle and the others.. this is "by design"

IMO (but it's a generally aknowledged rule) having your users and data on the firewall it's not a good idea.. N.B. I'm not saying SME is unsure.. I'm only saying that I prefer to use something like m0n0wall, pfsense and the other as firewall.

remembering that SME is linux (Centos/redhat), you can do quite everything on it (considering the templating system), but :

- you could break something
- this could be difficult
- you hardly can use the web interface.

question: to make an hole in your wall, will you use a drill or a screwdriver?

my 2 c

ciao
Stefano

[gdbs]

ipp2p is known to work great on SME, so now it's not about what we could break, how it's difficult or something else, it's about how compile it for each kernel version, it's about asking for a how to to people who have done rpms before and maybe doesn't have time to do it know or other. It's about a contrib installed on differents server and users can't update their sme because of ipp2p that would'nt work after a kernel upgrade. and it's about new users who want to use sme with ipp2p and dansguardian because sme suit with their needs, not others distro... and maybe adding a second server is not a good alternative for them.... and i understand this.

[Stefano]

ipp2p is known to work great on SME, so now it's not about what we could break, how it's difficult or something else, it's about how compile it for each kernel version, it's about asking for a how to to people who have done rpms before and maybe doesn't have time to do it know or other. It's about a contrib installed on differents server and users can't update their sme because of ipp2p that would'nt work after a kernel upgrade. and it's about new users who want to use sme with ipp2p and dansguardian because sme suit with their needs, not others distro... and maybe adding a second server is not a good alternative for them.... and i understand this.

you have pointed out all the reasons why it's better use something that is constantly managed and updated (another distro) instead of SME that ACTUALLY could not give the same warranty.

again, all in my humble opinion..

Ciao
Stefano and "this is my last post in this topic as we are going OT"

[Luis Noriega]

Luis - I do exactly that (...) Let me know if you want to pursue this.

besterl!
Thank's a lot.
Could you tell me how you do it?
Luis.

[gdbs]

you have pointed out all the reasons why it's better use something that is constantly managed and updated (another distro) instead of SME that ACTUALLY could not give the same warranty.

again, all in my humble opinion..

Ciao
Stefano and "this is my last post in this topic as we are going OT"

i think that you've not understood that's what i purpose to do: giving the warranty to have a ipp2p contrib build for each new version of kernel..................

[janet]

gdbs

It would be great if you provided ongoing support for the ipp2p contrib.

I suggest you post your offer/desire/request to the devinfo list (http://lists.contribs.org/mailman/listinfo/devinfo) and/or bugzilla (http://bugs.contribs.org/), asking for support to help you both learn what to do and how to integrate it all (ie the contrib) into the sme build server stream.

There are very knowledgeable people there who I expect will offer you assistance.
In bugzilla create a new bug against that contrib category

If the contrib category doesn't exist, then create a bug asking for the category to be created or  request staff@contribs.org to create it first and then you can add your bug. The bug in this case is a "problem with the system" bug rather than a "problem with a contrib" bug.

[Luis Noriega]

Luis - I do exactly that (...) Let me know if you want to pursue this.

besterl!
Please tell me how!
Thanks.
Luis.

[FraunhoferIFF]

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf
mkdir -p /etc/e-smith/templates-custom/etc/squid/block.txt
echo acl block url_regex \”/etc/squid/block.txt\” >/etc/e-smith/templates-custom/etc/squid/squid.conf/20ACL31block
echo http_access deny block >/etc/e-smith/templates-custom/etc/squid/squid.conf/40http_access21denyBlock
echo .myspace.com >/etc/e-smith/templates-custom/etc/squid/block.acl/10block
echo .spamadserver.com >>/etc/e-smith/templates-custom/etc/squid/block.acl/10block
/sbin/e-smith/expand-template /etc/squid/squid.conf
/sbin/e-smith/expand-template /etc/squid/block.txt
/sbin/service squid restart


If you want to change the list of blocked sites edit /etc/e-smith/templates-custom/etc/squid/block.acl/10block then enter the following:

/sbin/e-smith/expand-template /etc/squid/block.txt
/sbin/service squid restart


To remove the list, delete the custom templates and restart as follows:

rm /etc/e-smith/templates-custom/etc/squid/squid.conf/20ACL31block
rm /etc/e-smith/templates-custom/etc/squid/squid.conf/40http_access21denyBlock
rm /etc/e-smith/templates-custom/etc/squid/block.acl/10block
/sbin/e-smith/expand-template /etc/squid/squid.conf
/sbin/service squid restart

[thomasch]

1) on 5 of the terminals (the terminals which are at rooms and my office):
     - I want to block ALL THE WEB CONTENT (except the bank homepage and the school's homework website);
     - block msn, chat's, p2p's, etc...
     - Allow e-mail (thunderbird, outlook, gmail, etc).
2) on the other 3 terminals (the ones that are at public places like tv room and living room):
     - Allow filtered web content;
     - Allow msn, chat, p2p, etc...
     - Allow e-mail

You need a fullblown firewall like ipcop to achieve what you want. SME is not designed for that purpose.

If you don't want to buy another machine and put it in front of smeserver, you can install firewall under vmware to filter/block internet access. Some call it virtual firewall. SMEserver have to set as server only mode.
However, there is security consequences, I think.

thomasch

[gdbs]

I've been able to compile ipp2p for the test kernel !!!

version test 2.6.9-78.0.13 (the next version of kernel...)

i'm actually downloading the 2.9.6-78.0.8 stable version and i post it here for test

[gdbs]

why? isn't sme is made to work gateway mode? why in "about sme" section sme is described as a gateway firewall distro?

and with ipp2p, it's possible tu block p2p...

You need a fullblown firewall like ipcop to achieve what you want. SME is not designed for that purpose.

If you don't want to buy another machine and put it in front of smeserver, you can install firewall under vmware to filter/block internet access. Some call it virtual firewall. SMEserver have to set as server only mode.
However, there is security consequences, I think.

thomasch

[Stefano]

why? isn't sme is made to work gateway mode? why in "about sme" section sme is described as a gateway firewall distro?

and with ipp2p, it's possible tu block p2p...

gdbs: what part of "SME can act as firewall but it is NOT a "pure" firewall, because firewalling and web traffic filtering are not its primary scope" is difficult to understand?

Stefano and "firewalling on SME has been discussed so many times here.. use the search, Luke"

[gdbs]

yes i've understand it but as you said it can do a part of.

you can give an advice about it, but here, someone is asking for fonctionalities that SME can do. if it answer to his need, why should he add something else? maybe it's enough for him.

But sure if he's asking for something that really doesn't exist on sme or can't answer to all his needs, using another distro could be a good choice...

but if sme, dansguardian and ipp2p is responding well, i think we may tell him to test it before asking another community of another distro.

i've compiled ipp2p, now he will be one of my tester

if ipp2p is not the right option for him, he's free to do what he want to find the good way for him....

[besterl]

besterl!
Please tell me how!
Thanks.
Luis.

Sorry I have not been online for a while now - too busy with other stuff.

If you still have not sorted this out let me know

L