Skip to main content
Welcome guest. | Register | Login | Post

Proxy/Firewall router

4 replies [Last post]
Offline
Joined: 2005-12-20

Hey,

I was wondering, is there a way to share a connection between windows, and linux/bsd, as well as filtering out adult/bad sites as well? All with just a router?

Anyone?

dylunio's picture
Offline
Joined: 2005-12-20

If you had a boxen you could use as a router (which you could also use as a desktop or a server), you could put tinyproxy on it as explained here to clean up the content. As for the connection sharing, you could install a second NIC wich attached to a switch, which attached to other boxen, you'd use somekind of forwarding to the second NIC to rout the net, but I'm not 100% how to do this.

Offline
Joined: 2005-12-20

Cool, that seems a good way to do thinks, thanks dylunio, I'm sure, if I am allowed, we could use a box that isnt being used (We have 9 in the house, no wait, 10)

supermike's picture
Offline
Joined: 2006-02-17
Re: Proxy/Firewall router
"onlinebacon" wrote:

Is there a way to share a connection between windows, and linux/bsd, as well as filtering out adult/bad sites as well? All with just a router?

That's what I do. (BTW, I'm the author of the tinyproxy article you may have seen in the forums. I'll talk more about this in a minute.)

I have a Verizon DSL modem that I found, after reading forum messages on the web, works on PPP over Ethernet. I first configured the DSL connection with a laptop that I knew I was going to reformat later. I plugged it without firewall right on to the DSL modem connection to set up my account and get it all working. Because I had no firewall, and since on average it only takes 20 seconds for a PC to get infected that way (these days), I wasn't going to care. I then wrote down all the settings and reformatted the laptop.

Next, I plugged all those settings into a hardware-based DSL NAT router. You can pick these up for like $45 at Wal*Mart, I think. It has a web interface to it, like they all do. The NAT router makes the connection to the Internet for me automatically and then serves up DHCP so that I can start adding PCs on my network. However, in my opinion, DHCP can be dangerous on a home network if anyone hacks the router. The bad guys can sometimes pretend to be another DHCP client or DHCP service and invade your system in a couple of different ways. Therefore, I use static addresses and I tell my NAT router to filter on MAC address, excluding all access from anything else. That makes it far tougher for the bad guys to get in. I then put static addresses on my home PCs and point them all to the gateway of this NAT router. I have a hub, in my case, that I plug the DSL NAT Router into along with the PCs. The DSL Modem plugs into the back of the DSL NAT Router. Note that each of my PCs have Ethernet NICs in them. Some of the PCs have Linux (yay!), while others have Windows (ack spit spit).

Next, I went to Radio Shack and picked up a clock timer power supply kind of thing that cycles the power on the NAT router and modem at certain times of the day when I know I won't be online. This not only makes the units faster, and keeps them from locking up, but it is another way to frustrate hackers.

Next, I installed tinyproxy on my personal PC and made a kicking filter file that seems to work well so far. (It's the most vile, nasty, cuss-ridden thing you've ever seen if you have deal with filter files. Unfortunately, that's par for the course.) Once this was installed, I set the kid's browsers so that they use this proxy. My kids aren't clever enough yet to know how to circumvent or turn off the proxy. However, if they were, there are ways in both Firefox and Internet Explorer to block, hide, and/or disable any little hands from changing this setting. (Unfortunately, if you're interested in restricting proxy changes, I'll let you surf the web for how because frankly I don't need this feature right now.)

Next, because no piece of software is perfect and will do well to be rebooted occasionally, I built a crontab schedule to bounce my tinyproxy service at a certain time of the night.

Now we can all surf the Internet at the same time and I can sort of watch and control where my kids surf.

I have more things I recommend:

* Give your kids their own PC and don't let them get on you or your spouse's PC. Also, password protect your PCs and put a screensaver with password protection turned on.
* Give your kids a Nintendo or something so that they will use their PC for serious things, not setting your network up for disaster by installing "games" that end up being much more than "games".
* Never let your kids install anything, including answering certain popups on the web, without you knowing about it.
* Switch all the browsers to Firefox. Switch all the mail clients to Thunderbird. This is more secure. Just make certain that Macromedia Flash and Java are installed before you walk away, though.
* Even something as harmless-seeming as a screensaver or wallpaper could be a doorway for spyware or viruses, so don't let them do that.
* Point your kids to Shoutcast.org and give them a copy of WinAMP (not the FREE version, which comes with adware) so that they can stop burning CDRs of copyrighted music and instead can listen to streaming audio. (That's what I had to do with my kids.)
* Don't let your kids use their real names anywhere, or upload completely unobscured photos of themselves (like direct face shots). You never know who's bad out there.
* If the kids are not older than 15, create a family email address and let the kids share it with the spouse, but use it only sparingly. This allows at least someone to filter their email a little before they get to see it. If they're over 15, you're probably going to want to let them have an email account. Unfortunately, I don't have good advice here because nothing can filter all email. Thunderbird sort of does a half-way decent job. You can also use two filters -- one at Mailsnare.com, for instance, and then download that into Thunderbird, which filters it again.
* Use Windows XP and turn on its "firewall".
* At a minimum on Linux, create at least an INPUT based firewall with lokkit, and then make certain that script gets called on every reboot. (Check it with iptables -L.) Unfortunately, both the Windows and Linux firewalls may block some important things, like VPN, so you'll need to read up on how to tweak these.
* Keep your service packs up to date on all software.
* If you want to do office VPN on Linux, consider a great tool called vpnc. It works even through the NAT router configuration in my case.

a thing's picture
Offline
Joined: 2005-12-20
Re: Proxy/Firewall router
"supermike" wrote:

* Use Windows XP and turn on its "firewall".

I'm confused.

Comment viewing options