drvnbysound
Senior Member
pete_c said:
So any other computers will have non-restricted access?
Small office dilemma - "the firewall" - suggestions?
- Thread starter pete_c
- Start date
So any other computers will have non-restricted access?
drvnbysound
Senior Member
Regardless, I believe this is something that you can do with Squid (proxy server). Allow access to X sites to certain computers, and allow different access to different users. It can also be time based as well (e.g. allow social media sites during lunch breaks).
pete_c
Guru
Yup here thinking of the introduction of using PFSense on a small mITX board/box. Going baby steps here.
I looked at another commonly used computer for accounting and is it pretty trashed right now; literally the two browsers; Chrome and IE are dysfunctional are in hi-jack mode. The Netgear firewall was set to all of the defaults for user and password stuff.
Personally I wouldn't use it accounting to a back end server if it were me.
I looked at another commonly used computer for accounting and is it pretty trashed right now; literally the two browsers; Chrome and IE are dysfunctional are in hi-jack mode. The Netgear firewall was set to all of the defaults for user and password stuff.
Personally I wouldn't use it accounting to a back end server if it were me.
pete_c
Guru
Yup; the more I look or pay attention the more I see.
IE: Most likely the installation and maintainance of the accounting box was just dropped it and made functional disregarding the network (that was already there).
I am guessing that the firewall was opened up in a willy nilly fashion regarding remote control of the accounting server for remote maintainance done up by some non network non router non firewall people.
All they probably cared about was remote access and were clueless regarding the configuration of the firewall as its set up in default mode today.
On a larger scale; commercial endeavors I have seen this.
IE: Most likely the installation and maintainance of the accounting box was just dropped it and made functional disregarding the network (that was already there).
I am guessing that the firewall was opened up in a willy nilly fashion regarding remote control of the accounting server for remote maintainance done up by some non network non router non firewall people.
All they probably cared about was remote access and were clueless regarding the configuration of the firewall as its set up in default mode today.
On a larger scale; commercial endeavors I have seen this.
pete_c said:
I went with a 1U rack mount box for mine. I added an old notebook drive and some memory and it has been working well since.
http://www.amazon.com/gp/product/B004GKULFO/ref=wms_ohs_product?ie=UTF8&psc=1
pete_c
Guru
Yup; PFSense does do UTM. It's a plug n play software "do all" firewall/router/UTM box.
Here I built a small footprint PFSense box with 6 NICs (Intel) using load balancing; resilence features on one side and multiple lans in the other side.
Still learning much though.
PFSense has a commercial paid for yearly support piece of the company which might work out for me.
Here I built a small footprint PFSense box with 6 NICs (Intel) using load balancing; resilence features on one side and multiple lans in the other side.
Still learning much though.
PFSense has a commercial paid for yearly support piece of the company which might work out for me.
fcwilt
Active Member
Hi Pete,
Do you see this:
http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1
I have no experience at all with PFSense so I don't know if anything written there is accurate but some of the rating assigned are not too good.
YMMV
Do you see this:
http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1
I have no experience at all with PFSense so I don't know if anything written there is accurate but some of the rating assigned are not too good.
YMMV
This issue seems to come up for me all the time. There are a number of ways I've dealt with this, as suggested above: DD-WRT, PF Sense, as well as comprehensive Threat Management solutions.
Fancy solutions like the Barracuda stuff or Sophos are great, but expensive.
You can get the job done with DD-WRT. My experiences putting this on consumer routers (probably 15 distinct models on 30 devices over the past 8 years) haven't been great. I've found stability to be an issue. Some of this could be DD-WRT code over the years, some could be the consumer routers burning out. But I've repeatedly had instillation becomes unstable over time.
My current budget preference is pfSense on some NetGate hardware. Something like this little ALIX based system (http://store.netgate.com/Netgate-m1n1wall-2D3-2D13-Red-P218C83.aspx). I've used 3o r 4 of the ALIX ones and two of the large Hamikua's and had great results in terms of performance and stability. The pfSense is interface is great, and it also leaves you open to a bunch of fancier configurations in the future. On PFSense you may want to look a Squid for white listing.
Some other ways you could accomplish this, your mileage may vary here (so please don't throw tomatoes):
* Stand up a second DNS server that doesn't recurse up the hierarchy except for the approved sites. Assing the restricted employees to these DNS servers, setup separate VLANs if you want to prevent an enterprising youth from cheating.
* This is opposite of white list, but I've created an LMHosts file that forces resolution of (say the top 1000 sites) to 127.0.0.1. I then distribute the file on a regular basis via script, or group policy
* If there is a domain configure group policy to set proxy settings for all sites except the white listed ones.
Best,
-eric
Fancy solutions like the Barracuda stuff or Sophos are great, but expensive.
You can get the job done with DD-WRT. My experiences putting this on consumer routers (probably 15 distinct models on 30 devices over the past 8 years) haven't been great. I've found stability to be an issue. Some of this could be DD-WRT code over the years, some could be the consumer routers burning out. But I've repeatedly had instillation becomes unstable over time.
My current budget preference is pfSense on some NetGate hardware. Something like this little ALIX based system (http://store.netgate.com/Netgate-m1n1wall-2D3-2D13-Red-P218C83.aspx). I've used 3o r 4 of the ALIX ones and two of the large Hamikua's and had great results in terms of performance and stability. The pfSense is interface is great, and it also leaves you open to a bunch of fancier configurations in the future. On PFSense you may want to look a Squid for white listing.
Some other ways you could accomplish this, your mileage may vary here (so please don't throw tomatoes):
* Stand up a second DNS server that doesn't recurse up the hierarchy except for the approved sites. Assing the restricted employees to these DNS servers, setup separate VLANs if you want to prevent an enterprising youth from cheating.
* This is opposite of white list, but I've created an LMHosts file that forces resolution of (say the top 1000 sites) to 127.0.0.1. I then distribute the file on a regular basis via script, or group policy
* If there is a domain configure group policy to set proxy settings for all sites except the white listed ones.
Best,
-eric
pete_c
Guru
Thank-you all.
Hello Frederick,
Thank-you and yes; posted the link above writing on the Homeseer forum regarding PFSense.
I tested and am using my GPS with PPS plugged into the PFSense firewall and it is working well with pretty good time syncing these days. The GPS is mounted in the attic and has a nice bird view (11 satellites). Older GPS time sync antenna was on the roof. This is just one little piece of it; historically though running NTP on a separate box; it's a nice integration.
I enabled a few plugins to give me what I was already doing with the Smoothwall box. It's addictive what this box can do and what is available for it.
I was doing much with my Smoothwall box; but also some of the addins were hand done. I do still utilize DD-WRT and I have installed and updated many neighbors AP's here in my subdivision with DD-WRT. I did also a while ago play with the SOHO stuff. I am a bit alarmed though that folks (SOHO) would today purchase and spend monies on a good off the shelf SOHO firewall, plug it in, turn it on and leave all of the settings at default or pay a one year sub then "forget about it"
I am testing the failover / loading balancing stuff on the PFSense box and multiple networks inside lately. That and my new managed switch thing lets me do stuff now these days that cost thousands of dollars to do at "work".
I do want to maybe utilize PFSense in this small office but do not want to get too involved in managing the box other than initially configuring it.
The more I look the deeper the hole; IE: the more that needs to be done. Best to do it right for a friend of 30 years.
Hello Frederick,
Thank-you and yes; posted the link above writing on the Homeseer forum regarding PFSense.
I tested and am using my GPS with PPS plugged into the PFSense firewall and it is working well with pretty good time syncing these days. The GPS is mounted in the attic and has a nice bird view (11 satellites). Older GPS time sync antenna was on the roof. This is just one little piece of it; historically though running NTP on a separate box; it's a nice integration.
I enabled a few plugins to give me what I was already doing with the Smoothwall box. It's addictive what this box can do and what is available for it.
I was doing much with my Smoothwall box; but also some of the addins were hand done. I do still utilize DD-WRT and I have installed and updated many neighbors AP's here in my subdivision with DD-WRT. I did also a while ago play with the SOHO stuff. I am a bit alarmed though that folks (SOHO) would today purchase and spend monies on a good off the shelf SOHO firewall, plug it in, turn it on and leave all of the settings at default or pay a one year sub then "forget about it"
I am testing the failover / loading balancing stuff on the PFSense box and multiple networks inside lately. That and my new managed switch thing lets me do stuff now these days that cost thousands of dollars to do at "work".
I do want to maybe utilize PFSense in this small office but do not want to get too involved in managing the box other than initially configuring it.
The more I look the deeper the hole; IE: the more that needs to be done. Best to do it right for a friend of 30 years.
Attachments
Similar threads
