PDA

View Full Version : I just finished building a content filtering firewall for the house


Simplex3
05-03-2005, 10:47 PM
If you have kids and DSL/Cable and want to keep them out of bad stuff cheap it's awesome. All you need is any OLD craptacular PC (I'm using a Celeron 333 with 64mb RAM), two network cards, and some time. True content filtering, not just url blacklisting (although it does that too). It actually scans the incoming text and runs it against several types of checks. If it doesn't meet your criteria it puts up a "This site blocked" message. It doesn't require any browser settings, it traps all port 80 traffic before it gets out so kids can't get around it easily.

If anyone's interrested I'll post how to do it with all legally free software.

Okey dokie, here's the first steps. Don't let it scare you, its bark is much worse than its bite:


* Requirements
- Celeron 333 or greater CPU
- 64MB RAM
- 2G HDD
- 2 10Mb or faster network cards

* Acquire FreeBSD 5.3

ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/5.3/5.3-RELEASE-i386-
disc1.iso

* Install FreeBSD
- Boot from the install cd
- Press "enter" at the boot loader screen to continue
- Choose a "Standard" install
- In the FDISK partition editor delete any current "slices" by moving the
highight over them and pressing"d" on the keyboard
- Once all slices are deleted press "a" to use the entire disk
- Press "q" to continue
- Select the "Standard" boot manager
- In the "Disklabel Editor" press "c" to create a partition. Type "128M" into
the first box. Select "Swap" as the file system type.
- Press "c" again. This time accept the default for the partition size.
Next, select "fs" as the file system type. For "Mount Point" type a single
foward slash "/".
- Press "q" to exit the disklabel editor.
- Choose "Minimal" for the distribution to install.
- Select "CD/DVD" as the install source.
- Confirm you want to install.
- Press "Ok" on the congrats screen.

* Configure FreeBSD Part 1
- When asked if you would like to configure any Ethernet devices answer "Yes".
- Choose to configure your EXTERNAL network card.
- No to IPv6 config.
- Yes to try DHCP config.
- Enter "fw" for the host name then press "Ok".
- Answer "yes" to Function as a Network Gateway.
- Answer "no" to inetd.
- Answer "yes" to ssh.
- Answer "no" to ftp.
- Answer "no" to nfs server.
- Answer "no" to client.
- Answer "no" to system console settings.
- Answer "yes" to set the time zone.
- Answer "yes" to CMOS clock set to UTC.
- Choose your time zone.
- Answer "no" to Linux binary compat.
- Answer "no" to PS/2 mouse.
- Answer "no" to browse the packages collection.
- Answer "no" to create additional accounts.
- Select "Ok" to set the system manager (root) password.
- Enter the password you would like to use twice.
- Answer "yes" to visit the config menu.

* Installing the Distribution sets
- Select "Distributions" from the menu.
- Select "man"
- Select "ports"
- Select "src". In the next menu select "sys".
- Select "Ok" until it begins installing the selected software.

* Installing the Packages
- Select "Packages" from the main menu.
- Select "net". From net select "cvsup-16.1h", then "Ok".
- Select "shells". From shells select "bash-2.05b.007_2", then "Ok".
- From the Package Selection menu select "Install".
- Press "Ok".

* Configure Network Services
- Select "Networking" from the main menu.
- Select "Ntpdate" from the Network Services Menu.
- Select "Other" from the Server Selection menu. Enter "-b us.pool.ntp.org"
in the box and press "Ok".
- Select "Ok" again to return to the main menu.

* Finishing the install
- Select "Exit" from the Config Menu.
- Select "Exit Install" from the Main Menu.
- Remove the cd and reboot the system.

* First boot
- Allow the machine to boot.
- When it asks for a "random screenful of junk" give it just that. Typically
a several lines is fine. The more you type the more unlikely your "seed" will
be guessed.
- At the "login:" prompt, type "root". This is the admin user name.
- Enter the password you chose during install at the "Password:" prompt.

* A brief intro to our text editor, EE
- We'll be using EE as our editor. Type "ee" at the prompt. You will be in
the editor with a blank file. Simply type as you normally would. When you're
ready to save, exit, etc. just press the ESC key. A menu will pop up giving you
the options. It couldn't be easier.
- Exit ee without saving.

* Continue first boot
- Now type "ee /etc/rc.d/sshd_config" at the prompt.
- Scroll down and find the line that says "#PermitRootLogin no" and change
that to "PermitRootLogin yes".
- Save and exit. (ESC, ENTER, ENTER).
- At the prompt type "setenv EDITOR /usr/bin/ee".
- Type "vipw" at the prompt. Don't crap your pants. On line 3, at the very
end, you'll find "/bin/csh". Replace that with "/usr/local/bin/bash". Save and
exit.

Note -> At this point you can do everything from an ssh client (remote shell).
I do this because it allows me to sit at another machine and use cut/paste
rather than type out all of these commands.

* Create a decent bash environment
- Type "cd" at the prompt.
- Now type "ee .bashrc" at the prompt. This will start ee and open a file
named .bashrc if it exists. Since it doesn't it will create the file by that
name when we save. From now on I'll simply tell you "ee filename" followed by
the text to put in that file. You will be expected to save and exit before
moving on.
- Enter this text into the file:

umask 077
PS1="[\u@\h \w]\\$ "
alias ll='ls -alFG'

- Save and exit (ESC, ENTER, ENTER).
- "ee .bash_profile"

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$HOME/bin;
export PATH
umask 077
PS1="[\u@\h \w]\\$ "
alias ll='ls -alFG'

- At the prompt
- Exit out of our initial bash environment by typing "exit" at the prompt or
pressing CTRL-D.

* Log in to our newly created bash environment
- Log in to the terminal or through ssh. If you see "[root@fw ~]# " you're
ready to go.

* Add a warning banner
- "ee /etc/motd"

* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *

- "cp /etc/motd /etc/issue"

* Update the system with the latest patches.
- "cp /usr/share/examples/cvsup/stable-supfile /etc"
- "cp /usr/share/examples/cvsup/ports-supfile /etc"
- "ee /etc/stable-supfile". On line 68 change "CHANGE_THIS" to "cvsupX" where
X is a number from 1 to 15. At the end of line 73 add "_3" so that it reads
"*default release=cvs tag=RELENG_5". This section should now look like:

# IMPORTANT: Change the next line to use one of the CVSup mirror sites
# listed at http://www.freebsd.org/doc/handbook/mirrors.html.
*default host=cvsup1.FreeBSD.org
*default base=/var/db
*default prefix=/usr
# The following line is for 5-stable. If you want 4-stable, 3-stable, or
# 2.2-stable, change to "RELENG_4", "RELENG_3", or "RELENG_2_2" respectively.
*default release=cvs tag=RELENG_5_3
*default delete use-rel-suffix

- "ee /etc/ports-supfile". On line 51 change "CHANGE_THIS" to "cvsupX" where X is a number from 1 to 15.
- "cvsup /etc/stable-supfile && cvsup /etc/ports-supfile".
- Go take a break. This step will take a long time depending on your Internet connection speed. Could be hours.

Taco John
05-03-2005, 10:53 PM
That's awesome!

wutamess
05-03-2005, 11:11 PM
Post it numbnutts!

Simplex3
05-03-2005, 11:14 PM
Post it numbnutts!
I'm working on it!

:)

Simplex3
05-03-2005, 11:17 PM
This will keep you busy for a bit:

You'll need FreeBSD 5.3. Get the CD's here:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/5.3/

You'll need "5.3-RELEASE-i386-disc1.iso". No need for disc2.

Download and burn to cd.

More coming.

Rausch
05-03-2005, 11:34 PM
Wait....is he questioning my manhood?...

Simplex3
05-03-2005, 11:36 PM
Wait....is he questioning my manhood?...
Not in this thread. Until now.

Rausch
05-03-2005, 11:37 PM
Not in this thread. Until now.

Hey, wait...

Can I use this to filter out all the ****ing casino adds and online-gambling spam I get?

On a Mac?


Brad,

might send Simplex a cookie...

Simplex3
05-03-2005, 11:40 PM
Hey, wait...

Can I use this to filter out all the ****ing casino adds and online-gambling spam I get?

On a Mac?


Brad,

might send Simplex a cookie...
You can blacklist anything you want. They have stock blacklists for:

#Remove the # from the following and edit as needed to use a stock
#squidGuard blacklists collection.
.Include</etc/dansguardian/blacklists/ads/urls>
.Include</etc/dansguardian/blacklists/adult/urls>
.Include</etc/dansguardian/blacklists/aggressive/urls>
#.Include</etc/dansguardian/blacklists/audio-video/urls>
#.Include</etc/dansguardian/blacklists/chat/urls>
.Include</etc/dansguardian/blacklists/drugs/urls>
#.Include</etc/dansguardian/blacklists/entertainment/urls>
#.Include</etc/dansguardian/blacklists/frencheducation/urls>
.Include</etc/dansguardian/blacklists/gambling/urls>
#.Include</etc/dansguardian/blacklists/government/urls>
#.Include</etc/dansguardian/blacklists/hacking/urls>
.Include</etc/dansguardian/blacklists/jobsearch/urls>
#.Include</etc/dansguardian/blacklists/kidstimewasting/urls>
#.Include</etc/dansguardian/blacklists/mail/urls>
#.Include</etc/dansguardian/blacklists/news/urls>
.Include</etc/dansguardian/blacklists/porn/urls>
#.Include</etc/dansguardian/blacklists/proxy/urls>
#.Include</etc/dansguardian/blacklists/publicite/urls>
#.Include</etc/dansguardian/blacklists/redirector/urls>
.Include</etc/dansguardian/blacklists/violence/urls>
.Include</etc/dansguardian/blacklists/virusinfected/urls>
#.Include</etc/dansguardian/blacklists/warez/urls>

Rausch
05-03-2005, 11:42 PM
You can blacklist anything you want. They have stock blacklists for:

#Remove the # from the following and edit as needed to use a stock
#squidGuard blacklists collection.
.Include</etc/dansguardian/blacklists/ads/urls>
.Include</etc/dansguardian/blacklists/adult/urls>
.Include</etc/dansguardian/blacklists/aggressive/urls>
#.Include</etc/dansguardian/blacklists/audio-video/urls>
#.Include</etc/dansguardian/blacklists/chat/urls>
.Include</etc/dansguardian/blacklists/drugs/urls>
#.Include</etc/dansguardian/blacklists/entertainment/urls>
#.Include</etc/dansguardian/blacklists/frencheducation/urls>
.Include</etc/dansguardian/blacklists/gambling/urls>
#.Include</etc/dansguardian/blacklists/government/urls>
#.Include</etc/dansguardian/blacklists/hacking/urls>
.Include</etc/dansguardian/blacklists/jobsearch/urls>
#.Include</etc/dansguardian/blacklists/kidstimewasting/urls>
#.Include</etc/dansguardian/blacklists/mail/urls>
#.Include</etc/dansguardian/blacklists/news/urls>
.Include</etc/dansguardian/blacklists/porn/urls>
#.Include</etc/dansguardian/blacklists/proxy/urls>
#.Include</etc/dansguardian/blacklists/publicite/urls>
#.Include</etc/dansguardian/blacklists/redirector/urls>
.Include</etc/dansguardian/blacklists/violence/urls>
.Include</etc/dansguardian/blacklists/virusinfected/urls>
#.Include</etc/dansguardian/blacklists/warez/urls>


But will it work on Mac/Linux?

Logical
05-03-2005, 11:44 PM
I assume you mean young kids, because I would guess the average teenager would be able to figure out how to

A) turn off the computer you put it on, reboot in safe mode and shut the program down

B) hack the program to alter the filtering scheme

But then my experience has been that most teenagers are far more computer and computer software literate than the average adult contemporaries.

KC Jones
05-03-2005, 11:46 PM
I assume you mean young kids, because I would guess the average teenager would be able to figure out how to

A) turn off the computer you put it on, reboot in safe mode and shut the program down

B) hack the program to alter the filtering scheme

But then my experience has been that most teenagers are far more computer and computer software literate than the average adult contemporaries.

I'm thinking BSD doesn't have a safe mode like windows.

I'm also thinking it's the most secure 'popular' OS for a reason so the kids won't be able to get in without his password.

I'm also thinking that there is no internet connection if it's down.

Those are just thoughts though.

morphius
05-03-2005, 11:47 PM
I assume you mean young kids, because I would guess the average teenager would be able to figure out how to

A) turn off the computer you put it on, reboot in safe mode and shut the program down

B) hack the program to alter the filtering scheme

But then my experience has been that most teenagers are far more computer and computer software literate than the average adult contemporaries.
Well, it is a bit more complicate to shutdown a process on a UNIX router, and if you turn the box off, no internet access.

Of course if they just unplug the network from it and plug into the cable modem, then you are hosed.

Simplex3
05-03-2005, 11:48 PM
It runs on FreeBSD. I have Linux machines here at the house. We still have one Windows box (freaking wife).

As for bypassing, they can't reboot in safe mode, safe mode in FreeBSD has no networking. They can't get on the machine at all without a user account, so you're cool there. As for hacking it, if they can hack this then you should probably turn them in to the Feds, this wouldn't have been their first attempt.

This machine is actually a secured *nix server, it just happens to work as a home gateway/router/content filter.

KC Jones
05-03-2005, 11:49 PM
Of course if they just unplug the network from it and plug into the cable modem, then you are hosed.

d'oh! I'm such a simpleton I didn't think of that. I guess the filter server has to go into the gun cabinet behind some heavy duty locks.

Logical
05-03-2005, 11:49 PM
Well, it is a bit more complicate to shutdown a process on a UNIX router, and if you turn the box off, no internet access.

Of course if they just unplug the network from it and plug into the cable modem, then you are hosed.

OK fill me in did I miss something where he indicated a Unix router was involved?

Logical
05-03-2005, 11:51 PM
It runs on FreeBSD. I have Linux machines here at the house. We still have one Windows box (freaking wife).

As for bypassing, they can't reboot in safe mode, safe mode in FreeBSD has no networking. They can't get on the machine at all without a user account, so you're cool there. As for hacking it, if they can hack this then you should probably turn them in to the Feds, this wouldn't have been their first attempt.

This machine is actually a secured *nix server, it just happens to work as a home gateway/router/content filter.

OK this is what I get for being Unix illiterate. Sorry

KC Jones
05-03-2005, 11:51 PM
OK fill me in did I miss something where he indicated a Unix router was involved?


This will keep you busy for a bit:

You'll need FreeBSD 5.3. Get the CD's here:

ftp://ftp.freebsd.org/pub/FreeBSD/r...ISO-IMAGES/5.3/

You'll need "5.3-RELEASE-i386-disc1.iso". No need for disc2.

Download and burn to cd.

More coming.

Simplex3
05-04-2005, 01:50 AM
Ok, I've put the first several steps in the thread starter. I'll complete it tomorrow (hopefully). This should keep those of you doing it busy until I get back to it.

Braincase
05-04-2005, 05:11 AM
I just set up IE with trusted zones and content filtering. They have access to about a dozen sites. Voila!

htismaqe
05-04-2005, 05:15 AM
Well, it is a bit more complicate to shutdown a process on a UNIX router, and if you turn the box off, no internet access.

Of course if they just unplug the network from it and plug into the cable modem, then you are hosed.

Not necessarily.

You can create profiles on the browser PC for each child and restrict them from having local admin rights.

Then you can put the filtering box in as an HTTP proxy, forcing all port 80 traffic to go to the Internet through it.

Then use Group Policies to disable the ability to edit the proxy setting in the Internet control panels and make sure that only local admins have the ability to edit Group Policies.

After all of that, a sufficiently hardened password (10-12 characters mixed) will prevent all but the most savvy kids from getting around it.

htismaqe
05-04-2005, 05:26 AM
There's some other ways to prevent the kids from physically bypassing the filter server.

1) Combine your cable gateway with the filter server.

I have a LinkSys all-in-one gateway so the cable modem is built right in to the router/firewall. It does keyword and URL filtering and if they shut it off, they shut off the cable modem. For this particular application, you could put a PCI DOCSIS 2.0 cable modem card right in your Linux box, creating the same kind of setup.

http://www.zoom.com/techsupport/cable/pci5001.shtml

2) Use network filtering.

Most cable modems anymore support MAC address filtering. Set the modem up to only allow connections from the MAC address of the filter server. If the kids plug the modem directly into the browsing PC, it won't work.

jarjar
05-04-2005, 07:17 AM
I've ran some form of a linux router with that capability for nearly a decade. I'm a network administrator by trade so implementing things like this are my livlihood... that said, I don't use it at home. I just told my kids if they see something they know they aren't supposed to see they should close it, and I expect them to. I'm not sure if that's an authoritarian or a liberal viewpoint, but it makes sense to me.
Of course I also have comprehensive logging, just to be sure... but I almost never check it. My wife is more up on checking that stuff than me.
I guess in the end they will see things that will make me uncomfortable, but I figure it's all part of growing up.

C-Mac
05-04-2005, 07:34 AM
I've ran some form of a linux router with that capability for nearly a decade. I'm a network administrator by trade so implementing things like this are my livlihood... that said, I don't use it at home. I just told my kids if they see something they know they aren't supposed to see they should close it, and I expect them to. I'm not sure if that's an authoritarian or a liberal viewpoint, but it makes sense to me.
Of course I also have comprehensive logging, just to be sure... but I almost never check it. My wife is more up on checking that stuff than me.
I guess in the end they will see things that will make me uncomfortable, but I figure it's all part of growing up.

Thats a little scary, how old are your kids?

Simplex3
05-04-2005, 01:04 PM
Anybody still with me here or have you all given up?

penguinz
05-04-2005, 01:13 PM
Now that you have this running are you going to setup Qmail with SA?

Simplex3
05-04-2005, 01:20 PM
Now that you have this running are you going to setup Qmail with SA?
I actually manage production web servers that are hosted as part of my company. I'm a Postfix/Dovecot/Amavisd/Spamassassin/ClamAV kind of guy. I store all the mail server info in a Postgres db so we can just use a php control panel we wrote. With Qmail it just seemed like everything was a freaking hack. Why?

Braincase
05-04-2005, 01:22 PM
Anybody still with me here or have you all given up?

You have given me new appreciation for ISA Server. All of a sudden configuring array policies seem alot less painful.

Simplex3
05-04-2005, 01:25 PM
You have given me new appreciation for ISA Server. All of a sudden configuring array policies seem alot less painful.
ROFL

Actually, we haven't even gotten to the firewall part... This is all OS setup.

It's really not as bad as it seems. Sit down and write up a Windows ISA 2k install click by click sometime, it's a hell of a lot longer than you think. I've done this FreeBSD setup dozens of times, frankly I'm a little shocked at how long the directions come out to be.

penguinz
05-04-2005, 01:27 PM
I have never had any luck with Postfix. On my home server I run Qmail with smtp-auth, vpopmail, binc-imap and qmailAdmin.

jarjar
05-04-2005, 01:36 PM
Thats a little scary, how old are your kids?

10 year old daughter and an 8 year old boy.

Simplex3
05-04-2005, 01:39 PM
I have never had any luck with Postfix. On my home server I run Qmail with smtp-auth, vpopmail, binc-imap and qmailAdmin.
We've had marvelous luck with Postfix. I ran Qmail for about 2 years before I made the move, so I have experience with both. The thing Postfix does so much better is allowing me to put software in the mail chain and giving me the ability to store accounts and account info externally. We set up new customers daily, so storing acount info in flat files wasn't an option. We make a database entry and viola, new mail account is active in the system.

When I used Qmail I did get slightly better throughput but that can all be accounted to doing database lookups on a remote server in the Postfix setup.

Are you using pyzor or any other shared-blacklists? We've found them to be quite effective. At this point I average less than 1 spam email a day getting into my box and it's always tagged as potential spam. We also never get complaints of false positives.

penguinz
05-04-2005, 01:45 PM
Not using any shared-blacklists. Just a personal email server so have not worried too much about it.

Do you have a link to any guides that describes your setup?

Lzen
05-04-2005, 01:48 PM
Wow, that sounds like a lot of work. I just use a software content filter, iProtectYou. My kids are 12, 8, and 3. I may have to worry about it in the future but they don't have the know-how as of now to get around that.

Hoover
05-04-2005, 01:51 PM
So how will you surf for porn?

penguinz
05-04-2005, 01:53 PM
Don't think your 12 year old can't figure it out. Maybe even your 8 year old. I have a 3 yeard old girl who can turn the computer on, put a dvd in and control the player with the mouse. She has been doing this for about 4 months already.

Simplex3
05-04-2005, 01:58 PM
So how will you surf for porn?
A user account with full outbound rights. Duh.

:D

Lzen
05-04-2005, 01:59 PM
Don't think your 12 year old can't figure it out. Maybe even your 8 year old. I have a 3 yeard old girl who can turn the computer on, put a dvd in and control the player with the mouse. She has been doing this for about 4 months already.


My 12 year old is smart but he lacks the motivation to figure out something like that. My 8 year old isn't the sharpest tool in the shed. He's not dumb but he's not real smart like the oldest. Besides, I know the 12 year old hasn't figured it out because he keeps complaining about it. Turns out that you can't play Halo online with it on and occasionally it even blocks sites that I approve of.

Simplex3
05-04-2005, 02:02 PM
Don't think your 12 year old can't figure it out. Maybe even your 8 year old. I have a 3 yeard old girl who can turn the computer on, put a dvd in and control the player with the mouse. She has been doing this for about 4 months already.
My daughter is 3 and just started hitting the web (noggin.com). I didn't want her accidentally getting into something she shouldn't.

In my case it was simpler than this, I already had the FreeBSD firewall/router up for my own use, I just had to add Squid and DansGuardian to it.

Simplex3
05-04-2005, 02:09 PM
Not using any shared-blacklists. Just a personal email server so have not worried too much about it.

Do you have a link to any guides that describes your setup?
I wish. It's a conglomeration of about 20 different guides and I didn't take the time to document it when I was doing it. Big rush you know. :(

I know the guide I used the most was up on postfix.org, but they don't seem to have any Postgres integration how-to's up there anymore.

I obviously have backups of my config files, and installing from the FreeBSD ports collection is easy, so I could replicate it pretty quickly. Not sure I remember a lot about WHY I did a lot of it, though.

penguinz
05-04-2005, 02:12 PM
...

htismaqe
05-04-2005, 02:26 PM
My daughter is 3 and just started hitting the web (noggin.com). I didn't want her accidentally getting into something she shouldn't.

In my case it was simpler than this, I already had the FreeBSD firewall/router up for my own use, I just had to add Squid and DansGuardian to it.

My 3-year-old loves noggin.com as well.

I just about shit my pants the other day when she popped in the Blues Clues CD and proceeded to type in her name...

penguinz
05-04-2005, 02:37 PM
It is amazing isn't it? I have had to child proof every piece of electronics in the house.

We got her a cd player for christmas so she could listen to her cd's in her room wihtout forcing us to listen to them.