Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

LAN, Internet filtering, 'walk-away' firewall solution

Status
Not open for further replies.

GKChesterton

Programmer
Aug 17, 2006
278
US
Can a hardware firewall be administered/locked discretely, so client PC admins are unable to access it? Can the person with access lock it and walk away, leaving the client users able to do everything except tamper with the firewall settings?

I am a beginner-proficient Ubuntu Ibex user. My experience is not from the server admin side of things.

I am graduating to LAN administration. I'll oversee 3-6 computers running Ubuntu. Users must be able to administer their computers to a large degree.

Wireless LAN will connect all computers to the Internet. Internet browsing must be filtered. (I currently use DansGuardian, tinyproxy, firehol for a single PC; DansGuardian serves perfectly.) It's strictly (legally) required that no one be able to tamper with the filtering.

Each user understands OS Linux and will be learning more, but no one is extremely knowledgeable. If a solution can be considered 98% tamper-proof for non-experts, that is good enough. There's no assurance that someone won't boot their PC from an external device. It IS assured that no one will get to a different network connection.

The firewall unit will be physically locked away. THAT'S MY HEADACHE, actually. Once it's going, getting physical access is going to be inconvenient, as I'm basically one of the prisoners. So my solution needs to be reliable.

I assume that a PC must be dedicated for this purpose (that seems necessary, given discrete admin access). I don't have a lot of money for this, but I have a bare-bones PC and a hundred bucks.

So, to return to my summary at top: I want to be able to configure a firewall so the users can admin their own PCs but not roam the Net, and I need a reliable solution I won't have to fiddle with once it's going. Will an external firewall give me that? Must it be a running PC (or is there a 'black box' hardware solution)? Can anyone give me starter tips or how-to links? Does the Ubuntu repository have any good tools?

[purple]If we knew what it was we were doing, it would not be called
research [blue]database development[/blue], would it? [tab]-- Albert Einstein[/purple]​
 
Unless you have a 3rd party install and maintain your firewall, someone within your company will have the ability to remotely administer the firewall (change the filters). It is technically possible to limit access to direct physical access to the computer, but I haven't seen that done in many years and I can't think of anything short of a Cisco PIX that will make that easy on you.

However, with the money that you have, you are really looking at a Linux firewall anyway. If you don't have your wireless AP already, or are willing to part with the one that you have, DD-WRT or OpenWRT are probably your best solutions. You can buy compatible wireless access points on eBay and flash them with WRT to give you the firewall solution that you are looking for.

Your other option is to buy a 2nd (and maybe 3rd) NIC for your PC and run a Linux firewall like IPCop, Smoothwall or Monowall. There are a bunch more of them as well, but these are versions that I have seen companies implement frequently. Here is the list on Wikipedia:


pansophic
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top