Internet filtering
in [Debian]
|
Prev: KDE Desktop Themes
Next: nv_videocard_driver
From: vr on 26 Jul 2010 21:40 On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote: > > I am not familiar with ATT. Is your service ADSL or cable? > They call it VDSL. > > If your router does not have the features you desire, than you probably > need to replace it. It may be replaced with a Debian machine working as > a router. This will probably give you the maximum flexibility. I use > this method and am quite satisfied with it. The machine needs to have > two LAN interface to work as a router, one for WAN (internet) and the > other for LAN. The other option is to buy a new router that has the > desired features. I would recommend a Linksys or another router that is > supported by DDWRT, OpenWRT or Tomato open source firmwares. Eventually > it all depends on how much you make your current router do this for you. > I'm interested in more info about the two network card configuration like you're running. I have spare parts laying around which could perform that duty. Can you tell me what software package you are using to control the traffic across your network cards? Is it GUI based? Can you define which protocols you want to allow? -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/a53b5b827386b27dc044813d33d573ce(a)192.168.0.66
From: H.S. on 26 Jul 2010 23:20 On 26/07/10 09:39 PM, vr wrote: > On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote: >> >> I am not familiar with ATT. Is your service ADSL or cable? >> > > They call it VDSL. Sorry, never used it. Do they give a modem for the connection? > > I'm interested in more info about the two network card configuration like > you're running. I have spare parts laying around which could perform that > duty. Can you tell me what software package you are using to control the > traffic across your network cards? Is it GUI based? Can you define which > protocols you want to allow? Okay, here goes. But I would still say that for most cases, a router with an open source firmware might be more than sufficient for most purposes. The other advantage of such a router, as compared to a computer working as a router, is its low power consumption since it has to remain powered on for the traffic to flow. Besides, such routers are quite robust once configured and quite immune to defects from power failures and, moreover, there are no hard disks to worry about crashing. My setup is the following: ;-------. tel line-->MODEM--->eth0 eth1---->SWITCH |_______.wlan0--> <WLAN> Router m/c Here MODEM is my ADSL modem and "Router m/c" is my Debian box running as a router. It has three interfaces, eth0 connects to the modem via an ethernet cable, eth1 to a switch via a cable and wlan0 provides my wireless LAN access point (using hostapd with my Dlink card). I have configured my eth0 as 192.168.0.0/24 network device, eth1 as 192.168.1.0/24 network device and wlan0 as 192.168.5.0/24. They can be on any three different private subnets. The software I use for the machine to act as a router is iptables with ip_forwarding enabled (this makes the machine as a gateway router). And the various rules (for filtering or port forwarding or blocking) are also done using iptables. There are many applications that can be used to create the desired iptables rules. I use my own bash script. I am thinking of playing with a GUI option when I get some time. I hear Firestarter is a good choice. There is one called fwbuilder as well. A command line firewall is shorewall. Most of these tools actually make it easier to generate the iptables rules that one would otherwise need to create by hand. If you do a google search, you can find many choices for this and detailed how-to's. Besides this, I also use dnsmasq as a dhcp server on the router machine and this allows LAN clients to connect as dhcp client. Very useful application. Other than this, I also have an OpenVPN server setup so that my home users can connect to it from outside to have secure and encrypted traffic. I must mention here that all this can usually also be done using the usual consumer router devices and an open source firmware (and sometimes even with their stock firmwares), but with much less pain than setting up your own internet gateway with a computer with iptables filtering. If you have any further questions, feel free to ask. Regards. -- Please reply to this list only. I read this list on its corresponding newsgroup on gmane.org. Replies sent to my email address are just filtered to a folder in my mailbox and get periodically deleted without ever having been read. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/i2lirh$tmg$1(a)dough.gmane.org
From: Andrei Popescu on 27 Jul 2010 03:20 On Lu, 26 iul 10, 23:12:48, H.S. wrote: > > I have configured my eth0 as 192.168.0.0/24 network device, eth1 as > 192.168.1.0/24 network device and wlan0 as 192.168.5.0/24. They can > be on any three different private subnets. Or use bridge-utils so you have only one interface on the private side. It makes configuration easier for all services, unless you want to separate the wireless and wired lan on purpose (security?). > The software I use for the machine to act as a router is iptables > with ip_forwarding enabled (this makes the machine as a gateway > router). And the various rules (for filtering or port forwarding or > blocking) are also done using iptables. > > There are many applications that can be used to create the desired > iptables rules. I use my own bash script. I am thinking of playing > with a GUI option when I get some time. I hear Firestarter is a good > choice. There is one called fwbuilder as well. A command line > firewall is shorewall. Most of these tools actually make it easier > to generate the iptables rules that one would otherwise need to > create by hand. If you do a google search, you can find many choices > for this and detailed how-to's. + 1 for shorewall, especially if you don't want/need a GUI. > Besides this, I also use dnsmasq as a dhcp server on the router > machine and this allows LAN clients to connect as dhcp client. Very + 1 for dnsmasq. Very easy to configure and provides DNS caching and DHCP in one. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
From: Rob Owens on 27 Jul 2010 17:40 On Mon, Jul 26, 2010 at 09:39:08PM -0400, vr wrote: > On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote: > > > > I am not familiar with ATT. Is your service ADSL or cable? > > > > They call it VDSL. > > > > > If your router does not have the features you desire, than you probably > > need to replace it. It may be replaced with a Debian machine working as > > a router. This will probably give you the maximum flexibility. I use > > this method and am quite satisfied with it. The machine needs to have > > two LAN interface to work as a router, one for WAN (internet) and the > > other for LAN. The other option is to buy a new router that has the > > desired features. I would recommend a Linksys or another router that is > > supported by DDWRT, OpenWRT or Tomato open source firmwares. Eventually > > it all depends on how much you make your current router do this for you. > > > > I'm interested in more info about the two network card configuration like > you're running. I have spare parts laying around which could perform that > duty. Can you tell me what software package you are using to control the > traffic across your network cards? Is it GUI based? Can you define which > protocols you want to allow? > I have a Debian-based firewall at home. I used fwbuilder to create all the iptables rules. I like it a lot. It's very flexible. -Rob -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100727213726.GB14074(a)aurora.owens.net
From: Michal on 28 Jul 2010 04:50
On 27/07/10 00:38, vr wrote: > What is a good utility to block outbound traffic on the home network? > Ideally it will not need to be set in a browsers proxy setting to be > effective. > > > Cheap old PC, two nics, stick OS of choice on, create firewall rules, install squid, setup, use this as your new default gateway, done. I easily did this with OpenBSD, PF and Squid and it can be done in no time at all. I never tried it with Debian but you can quite easily do it with that. You would end up with something similar to; Modem - > Gateway - > Switch - > Clients -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C4FE963.3000803(a)sharescope.co.uk |