Re: Want to Block Porn sites in school LAN
@Firebird,
Or can we do packet forwarding to proxy server using untangle/windows server 2003?
From what I know of Untangle, No. Web content filtering does not have to be so needlessly complicated. If you want to do Deep Packet Inspection, be prepared to pay Cisco, Checkpoint etc for their network layer firewalls. If you want to do Win2K3 Server based filtering, you will have to spend the money for a license of Microsoft's ISA Server.
As now a days kids can install xp and boot using pen drives. They also know how to change ip addresses and proxy etc.
If you disable USB boot, perhaps even disable USB (via BIOS and Device Manager) and importantly do not give out
Administrator rights, the ability to boot from USB and the ability to change IP address and proxy just vanishes. This is easily enforced through a Windows Group Policy.
Since Untangle is an application layer filter, there will be ways to bypass it. It takes a bit of determined effort though and you can make it increasingly difficult for your users to bypass Untangle.
How are your PC's connected ?
a) LAN PC's ==> Proxy (Untangle) ===> Router ==> Internet
or
b) LAN PC's ==> Proxy (some other proxy server) ==> Untangle ==> Router ==> Internet
or
c) some other config. If so, what?
I have used IPCop (
http://ipcop.org) which is similar and perhaps even more dated than Untangle to successfully implement web content filtering and it works well.
Off the top of my head, here's what I recall of a content filtering implementation with IPCop:
1. Setup IPCop as a proxy server.
2. Install the Advproxy and Urlfilter and Blockout Traffic addons for IPCop.
3. Block all protocols. Enable only the protocols you want to permit (http, pop, smtp etc.).
3. Create a list of LAN IP addresses in IPCop that should not be allowed access to the internet. These users will see a block page when they try to access the Internet.
4. Create a list of IP addresses in IPCop that should be allowed Internet access. These will be able to access the Internet but will be filtered by the IPCop Urlfilter addon.
5. Disable https, socks and other protocols you don't need (you might need a few iptables entries). If https cannot be disallowed, create a whitelist of sites for which https should be allowed.
6. Disable browser access using IP addresses. Lock down the hosts file on the PC's. You can also disallow Dynamic IP redirectors.
7. Force all users to use the IPCop firewall as their gateway. Set the browser to use the IPCop proxy.
8. Lock down your PC's by removing Administrator rights (else the gateway and proxy settings can be changed which will render all your efforts useless).
9. Set a strong password on the local and domain Administrator accounts.
10. Prevent USB boot via the BIOS and lock down the BIOS settings.
11. Prevent additional software installs other than software that you approve.
12. Optional - Use something like Microsoft Steady State
http://www.microsoft.com/downloads/...4b02-bd95-9d770ccdb431&displaylang=en&pf=true to restore your PC's to a known good state once your students finish their sessions on their PC's.
)...
hyeah: from xp machine ... now untangle was able to block that sites. but as we need to use proxy server to access internet untangle solution is not for me. already discussed here.