Sign in with
Sign up | Sign in
Your question

Restricting Internet - firewall?

Tags:
  • Firewalls
  • Networking
  • Internet
Last response: in Networking
Share
December 26, 2013 6:14:09 AM

Greetings! I hope someone will be able to help.

We're a small monastery. And due to this, we need to implement some Internet filtering. Unfortunately, it's not the basic kind of filtering. Frankly, I'm not sure that all of what we're looking to do can be done. But I'm at a loss about where I can look for this information.

At the moment, we've got a basic network, that you'd find a family home: DSL modem-router, a bunch of Ethernet hubs, and a whole bunch of cables.
The computers are mainly running Fedora Linux. There are 3 windows statioins, and 2 OS X stations.

The perfect solution is to be able to have 1 network, where there are 2 or 3 rooms where the Internet is accessible. And, those who have laptops, that they can bring their laptop to these rooms, and have Internet access, but NOT have access while connected to the network in other places. (Complicated, I know).

If that's not possible, ok. (Frankly, I don't think it is, but am very open to suggestions).

What really do need is to be able to allow an Internet connection, restrict bascially all web-surfing, while allowing e-mail, skype, and updates. The updates are my biggest problem. We already have a rule established on the modem-router that blocks surfing activity at night, but still allows e-mail and skype. Yet, this rule also blocks the apple AppStore updates.

So, I'm wondering if we get OSX server, would this help the situation? Where can I get more info about OSX server's filtering capabilities?
If we can't establish all the blocking that we need, then it'd be great if we could have some type of report of each person's activity.

Thanks for the help!

More about : restricting internet firewall

December 26, 2013 6:27:27 AM

If you're willing to invest in a standalone firewall box, any one of a number of Linux-based server applications can do what you need.

Currently here at home, I'm using untangle. The basic set is free, and can run on quite low power equipment. Mine is running on an old Compaq I got for $50 on craigslist.
Almost everything in the house goes through that box, in and out. If it doesn't like it...you may not pass.

Filter different types of traffic, and by IP address, detailed reports of what a particular IP or PC does, anti-virus, etc, etc, etc.
m
0
l
December 26, 2013 6:31:47 AM

Gee... Now this is quite interesting. Thanks so much for the help. There's a few things that I don't quite follow though. First... you say "invest". This leads me to believe two things: a hardware option is rather costly, and #2, there are other possibilities.

Is that true? If there are other possibilities, I'd love to find out more about them.

I'm far from being a newbie. I just don't have that much advanced networking experience.
m
0
l
Related resources
December 26, 2013 6:34:22 AM

Gee... Now this is quite interesting. Thanks so much for the help. There's a few things that I don't quite follow though. First... you say "invest". This leads me to believe two things: a hardware option is rather costly, and #2, there are other possibilities.

Is that true? If there are other possibilities, I'd love to find out more about them.

I'm far from being a newbie. I just don't have that much advanced networking experience.
m
0
l
December 26, 2013 6:38:13 AM

BrDavid said:
Gee... Now this is quite interesting. Thanks so much for the help. There's a few things that I don't quite follow though. First... you say "invest". This leads me to believe two things: a hardware option is rather costly, and #2, there are other possibilities.

Is that true? If there are other possibilities, I'd love to find out more about them.

I'm far from being a newbie. I just don't have that much advanced networking experience.


Well..by 'invest', it's mostly a matter of time spent. The software I mentioned is free, and the actual hardware can be quite inexpensive.
As said, mine is running on an old 2005 era Compaq I paid $50 for. Has been running 24/7 for several years, with zero changes or problems. I have 10+ devices connected to it, and unless you run afoul of one of the rules, you never know it is there. When you do hit something in the blocked ruleset, it throws up a "This is blocked" page. And you can only get around it if you know the password.

All it needs it two NICs. One to talk to the outside world, and one to talk to the internal network.
m
0
l
December 26, 2013 6:42:10 AM

Ok. Sounds great so far. But I can't figure out how this is going to handle the physical restrictions. Meaning, me with my laptop, if I'm connected to the network in my room: there should be NO outside connection, just internal stuff. BUT, if I take my laptop to the office, or computer room, then I should be able to connect it to the network, and have access to the outside world.
m
0
l
December 26, 2013 6:47:39 AM

BrDavid said:
Ok. Sounds great so far. But I can't figure out how this is going to handle the physical restrictions. Meaning, me with my laptop, if I'm connected to the network in my room: there should be NO outside connection, just internal stuff. BUT, if I take my laptop to the office, or computer room, then I should be able to connect it to the network, and have access to the outside world.


I think that could be done with two different routers and subnets.
'Anything coming from this router can do X' and 'anything coming from that router can only do Y'

NOTE: I've not tried this particular setup, but I see no real reason it wouldn't work.
m
0
l
December 26, 2013 6:53:30 AM

Well, I've thought of that too. But that means two separate networks, and no interaction between them. Right?

Of course that would do the trick. However, we don't have a sever. We've only got the one modem-router provided by the ISP.

I've been checking out that untangled website. Looks fantastic as an option. Do you know much about the virtual racks? Perhaps that might do the trick. Also, what are the chances that an Ethernet hub has an IP address? I've never heard of them having one... but before now, I've needed them to have one.
m
0
l
December 26, 2013 7:02:48 AM

BrDavid said:
Well, I've thought of that too. But that means two separate networks, and no interaction between them. Right?

Of course that would do the trick. However, we don't have a sever. We've only got the one modem-router provided by the ISP.

I've been checking out that untangled website. Looks fantastic as an option. Do you know much about the virtual racks? Perhaps that might do the trick. Also, what are the chances that an Ethernet hub has an IP address? I've never heard of them having one... but before now, I've needed them to have one.


You could also filter/allow by individual IP address. Each PC gets a static address, assigned by the DHCP server. Non-changeable by a standard user.
192.168.1.21 cannot do x, y, and z, while 192.168.1.82 can do x, y, z and a, b, c as well.


A hub/switch doesn't have its own IP address. It is mostly a passthrough device.
Routers do have their own IP.

The 'virtual rack' is just a graphical representation of what features/functions the firewall is doing.
m
0
l
December 26, 2013 7:06:57 AM

I get it. So then using what I know about establishing wireless networks...

We could get a couple routers, and use them as bridges. Then they should have their own IP's right? If that's the case, then we should be able to restrict the physical router's web access, without doing anything to the individual computer. Is that right? It almost sounds too good to be true.

Something else interesting that you mentioned: each PC gets its own static IP, unchangeable by the user... what's to prevent the user from changing his IP? I hope this wasn't a stupid question...
m
0
l
December 26, 2013 7:15:09 AM

BrDavid said:
I get it. So then using what I know about establishing wireless networks...

We could get a couple routers, and use them as bridges. Then they should have their own IP's right? If that's the case, then we should be able to restrict the physical router's web access, without doing anything to the individual computer. Is that right? It almost sounds too good to be true.

Something else interesting that you mentioned: each PC gets its own static IP, unchangeable by the user... what's to prevent the user from changing his IP? I hope this wasn't a stupid question...


1. Yes. Each router would have its own IP. Rules in the firewall could restrict traffic from that particular IP address, no matter what is connected to it.

2. For a static IP address on an individual PC....no admin rights = the user can't change it. And if you have the DHCP server set to only allow certain IP addresses, even if they DO change it....no network access.
For instance. If the system is set to give out addresses in the range of 192.168.1.50 - 192.168.1.60...setting it to 192.168.1.61 (outside that range) gets nothing. No network.
m
0
l
December 26, 2013 7:20:34 AM

Aha... I get it. You've been an immense help! Those DHCP settings... are those standard (sorry, don't have my head wrapped around it) or do they come from Untangled?

And... earlier, you said that the PC running untangled needs two connections: and IN and an OUT. How in the world does the computer know the difference? And if the physical computer needs two connections... then I guess an old MacMini we've got lying around won't do the trick. Or... could it if I attach a small ethernet hub to it?
m
0
l
December 26, 2013 7:30:28 AM

BrDavid said:
Aha... I get it. You've been an immense help! Those DHCP settings... are those standard (sorry, don't have my head wrapped around it) or do they come from Untangled?

And... earlier, you said that the PC running untangled needs two connections: and IN and an OUT. How in the world does the computer know the difference? And if the physical computer needs two connections... then I guess an old MacMini we've got lying around won't do the trick. Or... could it if I attach a small ethernet hub to it?


It just needs two NICs. One maybe on the motherboard (very typical), and one in a PCI slot. A PCI NIC is maybe $15.
During the setup, you designate which NIC does what. Onboard = External, PCI card = internal. Or the other way around. The software than takes care of it. As said...I've had this running here at home (similar size network) for years, without issue. It is actually easier to set up that it sounds.

And it provides a whole lot of filtering capabilities.
For instance - the 'Spyware Blocker': 4,735,705 pages scanned, 214,557 spyware attempts blocked.


For the DHCP - the firewall can handle it. It has its own DHCP server built in.
m
0
l
December 26, 2013 8:45:20 AM

Thank you so much. This has been a mountain of helpful information! At least now it seems I've got a good start about how to proceed. God bless!
m
0
l
December 26, 2013 8:48:06 AM

BrDavid said:
Thank you so much. This has been a mountain of helpful information! At least now it seems I've got a good start about how to proceed. God bless!


Press on proudly, and good luck!
m
0
l
!