My E-Smith Server and Gateway has two NICs, the first faces the internal LAN and the second is directly connected to a NATting ADSL modem/router. I've just been asked what follows:
1. is it possibile to configure the E-Smith Server and Gateway so that only specifically authorized machines can have Internet access?
2. is it possible to filter the visited URLs by content/address, banning undesired ones (think about audio and video broadcast sites, or sexy sites, for example)?
3. is it possible to log Internet activity, so that the superuser can check who did what and when, should it be necessary?
As for the question n.1, I guess that I could enable an ipchains filter that denies packet transfers from the internal LAN interface to the external LAN one if the source IP address is out of the authorized pool... is it the best way to do it, or am I missing something?
As for the question n.2, I think that enabling squid transparent proxying and then installing squidGuard 0.2-1 and all its components should be a good starting point; if I understand well, anyway, doing so I will be able to filter only request made using http protocol on port 80, not other protocols or http protocol on different ports. Am I wrong about this? If not, can anybody suggest me a path to follow?
As for the question n.3, I'm in the dark.
If I enable squid transparent proxy, I guess that squid would log only http://...:80 requests, right?
What about other protocols/ports? Ipchains? Are not ipchains logs way too much detailed?
On the old win95 box, I used a small freeware socks4 server that included a miniDNS logging every request for a "foreign" domain it received: can something similar be done on a E-Smith Server and Gateway?
About the DNS: suppose I have a fixed IP and a registered "domain.it" domain. My intranet uses class A private addresses, and every machine on it knows it belongs to "domain.it". When I installed E-Smith, I told it to become a node in the "domain.it" domain. I had no DNS, so the E-Smith one is the only name server on my private net.
Its DNS gives every machine a "standard" name from its DNS config file that does not reflect the name I gave to the PCs. All these names are in the form:
pcN.e-smith.domain.it
(where N is a number calculated from the PC IP address), and even the server itself responds to names like mail.e-smith.domain.it, {server name}.e-smith.domain.it and so on.
It is like it creates a e-smith.domain.it subdomain, instead of becoming part of the domain.it domain... I'd like to reconfigure E-Smith DNS so that it gives the PCs their name, and add some other configurations, i.e. a mail.domain.it that points to the E-Smith Server just like mail.e-smith.domain.it does.
Do you see any problem in such a reconfiguration - provided I don't make file syntax mistakes, I mean?
P.S.: between the contributed modules I noticed an "e-smith named conf" module that I guess could partially answer my question, but the associated link:
http://pagefault.org/e-smith/contrib/e-smith-named-conf-0.1-3.noarch.rpmpoints to a non-existing file...
Thank you in advance for whatever answer or suggestion you will want to give me
--
Pierluigi "Zio LoneWolf" Miranda
Cerveteri (Roma)
Italy
1 Replies
1309 Views