[ previous ] [ next ] [ threads ]
 
 From:  Chris Olive <chris at technologEase dot com>
 To:  Craig <news at craigio dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking Web addresses
 Date:  Sun, 01 Aug 2004 18:27:04 -0400
Craig wrote:

>Hello, I am looking for a solution to control the ability of blocking
>websites, or shall I say block all and allow certain authorised websites.  I
>like the compactness of M0N0Wall,  and I am wondering if there is a way of
>doing this with this system.  Any ideas?
>
>  
>
IMO, it would be really painstaking to do this using m0n0wall.  MW is 
great for what it was meant to do.

The better way would be to use MW to block all out-going traffic on port 
80 (and any other proxy-specific ports if you *really* want to lock down 
your nework and prevent connections to outside "public proxy servers" 
from savvy internal users -- ports like 3128, 8080 and 6588).  Then set 
up a proxy server to proxy allowed requests for your internal users.  It 
sounds also like you are wanting to run a "whitelist" proxy server.  
Squid works great for this and will run on commodity hardware (somewhat 
-- memory and hard-drive space are somewhat at issue depending on the 
traffic you want to proxy).  If you want something a bit more flexible 
than a whitelist proxy server, look into Dan's Guardian.  DG and Squid 
can be made to work together also.

I run a whitelist Squid proxy server at home on a mini ITX footprint 
machine that is *almost* as compact as MW on Soekris.  See 
http://www.mini-itx.com and look at their self-build Cupid boxes for an 
example of what I'm talking about.  (I didn't buy mine from that site 
however.)  Very nice solution and leaves MW to do the firewalling work 
and my Squid box to do the proxying work.  This is the solution I would 
recommend.

(I just saw you are in the UK; http://www.mini-itx.com is UK based, 
ironically so it could make sense for you to use them if you decide to 
go this route.)

chris
-----
Chris Olive
chris at technologEase dot com