Firewall Wizards mailing list archives
Re: Content filtering - how to enforce at home
From: Randall C Grimshaw <rgrimsha () syr edu>
Date: Thu, 9 Sep 2010 06:29:41 -0400
Physical access is always a problem, especially if they possess replacement routers - but here is what I use: 2 stacked NAT routers, Cable modem -> R1 -> R2 -> house R1 is a NAT with 802.11n WPA2 private password for my rare bypass needs. The ports are MAC secured to include my notebook and R2 R2 is a WRT running the latest Gargoyle / OpernWRT configured to enforce OpenDNS subscribed (free available) site category filtering / tracking. Gargoyle also has functional rate limiting, access quotas, reporting, filtering, Notes: My college kids used to have access to R1 in a former configuration, but hacker would break into their computers and they were often careless users. So for a while a bsecure securespot (no longer offered but signs of returning) sat between R1 and R2 (pre Gargoyle) A hotspot like password was used for bypass needs. Todays configuration is better for my immediate needs and works pretty well... hacker #2 is going to be a bigger challenge and I may need a PCI compliant cage. Good luck Jim... as usual should any of your force be.... Randall Grimshaw rgrimsha () syr edu ________________________________________ From: firewall-wizards-bounces () listserv cybertrust com [firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Wieslaw Lubas [wieslaw_lubas () o2 pl] Sent: Wednesday, September 08, 2010 3:18 PM To: firewall-wizards () listserv cybertrust com Subject: [fw-wiz] Content filtering - how to enforce at home Hi, I am trying to attach small filtering "appliance" in home environment. From user perspective it is a proxy server and firewall with IP address A on LAN side. WAN side connected to DSL/cable modem (CPE). All traffic other than restricted web categories shall be allowed. CPE DHCP turned off, allows only "appliance" MAC address. Scenario 1. Web proxy (A) enforced on workstation. Scenario 2. CPE or firewall blocks 80&443 from sources different than "A". "Appliance" is in transparent mode, because all workstation users can modify proxy settings. Disadvantage - only ports 80 and 443 are filtered - filter can be bypassed using Internet-based proxy. Scenario 1a. Smart 7 years young hacker replaces "appliance" with some non-filtering proxy, using the same IP. How to avoid this hack? Scenario 2a. Smart 7 years young hacker clones "appliance" MAC and connects dorectly to CPE.How to avoid this hack? 802.1x? Scenario 2b. CPE is provider-managed - in my case cable modem acting as a bridge. No mac filtering. Any connected DHCP client gets online. Anything else than physical lock will help (connecting cable modem with "appliance", setting up appliance as DHCP server, both boxes secured with key in enclosure)? Is there any software based solution that could do the job? Specifically, tamper proof network driver acting as ICAP client (I could install filter with ICAP server in remote location). Wieslaw _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Content filtering - how to enforce at home Wieslaw Lubas (Sep 08)
- Re: Content filtering - how to enforce at home pkc_mls (Sep 09)
- Re: Content filtering - how to enforce at home Randall C Grimshaw (Sep 09)