fbsd as a gateway and running a web content filter

[compnut24]

hi, im very new to FreeBSD, and i am going to be setting up a small (4 node windows) home network. Any pointers/tips? What do i need to configure in my kernel?

Also: im 16, and i have 2 younger siblings (10,9) and they both will have networked computers in their room. My mother wants me to install a web filter on the gateway. When they try to access a bad site, a page will be displayed telling they cant access it, and a form to enter a manual overide pass will be displayed. How do i go about doing this?

 

[rycamor]

Congratulations on beginning a nice project with FreeBSD.

I can help you with the network and gateway, but I haven't specifically done any content filtering, although FreeBSD should have no trouble doing it with the right software.

To start with, I imagine you are planning to use FreeBSD as a NAT firewall, right? So this way you can use it to share your internet connection with the other computers. This is the configuration I am running at home, using two ethernet cards; one to the DSL modem, and the other to my internal hub, wiht private 192.168.x.x IPs. You can use ipfw or ipfilter to accomplish this, running the natd daemon. I am more familiar with ipfw. I know that theoretically ipfilter has more functionality, but I think ipfw is easier, and less likely to cause trouble.

For either of these, you will need to recompile the kernel. Here are a couple of links that should help you with that part:

http://www.freebsddiary.org/ipfw.php

(start here)

http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html?page=1

http://www.gtabug.org/docs/ipfw-howto.html

For the content filtering, you might look at this thread (

http://archives.neohapsis.com/archives/freebsd/2001-03/0550.html).

It looks like your best bet is something involving the Squid Web Proxy Cache (

http://www.squid-cache.org/),

which is part of the FreeBSD ports collection.
I personally think you are going to have a difficult time with a home-grown content-filtering solution. Your best bet will probably be to subscribe to one of the "smut database" services, which can supply you with a list of hostnames and domains to block. Also, the only way to really prevent obscene content is to set up a system that defaults to a "deny" status for any unknown hosts, and you just gradually build up a list of websites that your siblings are *allowed* to visit. (Yes, I know this could end up being a real pain).

A possibly simpler approach might be using 'fear' tactics: ipfw can log every single website visited by any of the computers on your network. Just tell your family that the server will "tell all", and thus realy upon the fear of detection to keep them away from bad sites. (of course, the main problem with that is that it's not always easy to tell where a certain link might lead, and if it leads to a porn site, the user will get presented with 50 million pop-up windows to different sites before he or she can click the "close" button.)

Anyway, I hope this provides you some direction. Please feel free to ask any more questions as you go.

 

[compnut24]

hi, thanks your your response!
I havent set up my system yet, I will be doing so today when i get my 850MB hdd, so i was jsut going to configure my kernel on install. Yes, i had planned at NAT Firewall configuration. Thanks for the links. Also, cat 5 is 10/100, no matter where you buy it from, correct?

Thanks.

 

[compnut24]

hi, one more question. I will be running my internet through a standard 56k external modem (at least untill i get my cable connection in about 5 months when they give me access out here... argg) i probably should have mentioned that. Anyway, the first url that i visited said that if i was running ppp, i wouldnt have to use NAT. Is this true, and why wouldnt I?

 

[rycamor]

Oops. Again, an area that I have not dealt with. I have only used FreeBSD in a full ethernet setting.

Yes, aparently there is another way to accomplish internet sharing with PPP. I haven't touched this, but will provide any help I can. Basically, the thing to do is follow whatever links provide HOWTO's in that area, and sooner or later you'll find a nice short explanation of how to do that.

You might want to use NAT anyway, though, because it probably provides more rules/logging functionality, and you won't have to completley change your configuration when you move to cable (in case you haven't dealt with this, make sure to request an external cable modem, with a standard ethernet interface. If they say they don't support Unix, just tell them you have a Mac ;-)).

Actually, your cable modem might also use PPP. Many cable/DSL providers are now using a newer thing, called PPPOE(PPP Over Ethernet), so you might not need NAT at all.

Yes, standard cat 5 cable should handle 10/100 just fine. I don't know if NAT support is one of the standard configuration choices on install. I recommend doing a standard install and then a recompile, because then you can always "roll back" to a previous kernel if there's a problem. It's good experience to compile a kernel, and you'll find it fun. And if you read the "LINT" file, there are a lot of options you can take advantage of to optimize your kernel for a Pentium, 486, or whatever.