On Tue, 2004-03-30 at 17:53, Paul Crookes wrote:
> >From: Juan P. Ruiz [mailto:JP at subnetangel dot com]
> >Hey guys I need to block hotmail and yahoo now I was able to do it by
> >blocking each individual address that is register to hotmail and yahoo
> >but is there an easier way??? Thanks
> put a proxy server on the lan side of m0n0 and run dansguardian or
> squid-guard on it. And then on the m0n0 box just deny all traffic from
> lan, and only accept it from the proxy server :)
I'm in the process of building a "filter" box for my client LANs. What
I will do is have a firewall such as m0n0wall, SmoothWall, Cisco, or
whatever is appropriate connected directly to the Filter PC, and then
the 2nd NIC in the Filter PC connected to the switch with the LAN
(servers and workstations) attached there. If I install a m0n0wall
firewall, it will be on a net4501 or net4801.
I'm doing this for a few reasons, firstly that I don't believe that a
million different applications belong on a firewall. Secondly to take a
load off the firewall machine so that a net4501 can handle all the
traffic. Thirdly to take load off the internal LAN servers. And
finally to have a more secure system than just a firewall protecting the
internal Microsoft LAN.
I don't think its appropriate to have an IDS running on a firewall as
you EXPECT the firewall will suffer a lot of hits. If this IDS plugs
into the firewall rules and can automatically create drop/allow rules
based on the number and rate of hits from remote networks, then it may
be partially useful, but if it just looks and reports, then it is
practically useless - actually worse, as it is chewing a lot of the
firewall computer's resources to provide no real benefit. Running an
IDS on the Filter PC is a much more sensible place than on the firewall
itself. Anything logged there will need to be investigated, because it
has managed to pass through the firewall. With a decent firewall, the
IDS logs should remain empty.
I also don't think that squid on a firewall is a really appropriate
place for a web cache. Running this on the Filter PC will allow me to
run applications such as squidGuard, squirm, viralator and so on that
can assist in content filtering as well as download filtering. Relating
to the original mail question starting this thread, here is where I
would be blocking Hotmail, Yahoo, Kazaa, etc. I'm also looking at ways
to smb-auth the squid access, so only allowing internal users access to
the Internet after being authorized by AD, and then applying time and/or
site limits as appropriate.
I can also run qmail/postfix on the Filter PC to proxy mail before it is
passed onto the internal Exchange 2003 (or whatever) mail server. This
has a number of benefits, but mainly allowing MailScanner, spamassassin,
clamav, amavisd or similar to be run as plugins to the mail server,
resulting in a large reduction in virus and spam infested emails making
it into the LAN, further resulting in less load being placed on the LAN
Mail Server (Exchange 2k3, etc.). Outbound mail can also then be passed
through these filters ensuring no-one can send viruses nor spam from
Another thing that could then be run on the Filter PC is IPSEC VPN.
This would take the processing load off the firewall and internal
If I were to set this up, I'd likely run the m0n0wall in bridging mode
to eliminate one more NAT traversal for the internal LAN. Maybe in 1:1
NAT mode, or maybe in normal NAT mode. Don't know, as I haven't thought
this bit out fully yet.
If anyone has any thoughts on this setup, or other ways to block
particular web addresses/IPs and spam/viruses, then by all means reply!
Hilton Travis Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual Phone: +61-(0)419-792-394
Quark Computers http://www.QuarkAV.com/
(Brisbane, Australia) http://www.QuarkAV.net/
Open Source Projects: http://www.ares-desktop.org/
Non Linear Video Editing Solutions & Digital Audio Workstations
Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
Conference and Seminar AudioVisual Production and Recording
War doesn't determine who is right. War determines who is left.