Jump to content

Firewall For Small Office


haroldc

Recommended Posts

Can anyone recommend a firewall program (linux or windows) that can easily be set up to block torrent and p2p downloading?

We would run the firewall on a dedicated PC, and (I'm guessing) that it would be placed between our existing ADSL modem and our existing wireless router.

Link to comment
Share on other sites

Guest Reimar

Kerio Firewall do good job.

But it is not so easy to block special file types.

There is mayby another way if you want to know wh is doing what on the web: a web logging software! Kiwisyslog for example log every connection form every computer on the network! We using this program by our costumers to identify what the users doing, who downloading unauthorized and so on. The program identifies the connected computer by IP-address.

Link to comment
Share on other sites

Maybe a better question is what traffic do you want to allow through the firewall, and who is using it. P2P programs are generally hard to block from a router's firewall, since all it can block is specific ports.

Some VPN software (effectively a proxy) will tunnel all traffic through HTTPS, so there is no perfect way to block them.

NoCatAuth is a tool that can control access quite well, but it is a bit of a pain for end users. (You must keep a browser window open or you loose your connection.) This is an effective tool if you are offering a free or pre-paid system to strangers, and can be used to set up different trust levels for a company as well.

Another option is to go for a proxy server as your firewall, and require all requests to go through that server. That should permit a high level of control.

Link to comment
Share on other sites

IPcop

http://www.ipcop.org/

With the layer 7 blocker addon from here

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.151

or P2P blocker

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.160

All free, you just need to supply your own low(ish ) spec pentium II or III PC

download and set it all up ( admitedly not so easy but Kerio isn't easy either IMHO )

But you'll have an industrial strength firewall for very little outlay.

Link to comment
Share on other sites

On windows I use NetLimiter which allows you to limit (and completely block) the amount of traffic an application is sending/receiving. I find this indispensable for throttling P2P apps.

Most recent ports of Red-Hat flavored Linux come shipped with IPTables which does the job pretty well also. I bit more tricky if configuring from the command line though...

Link to comment
Share on other sites

I use a different approach in our office.

A Windows domain with group policies that prohibit running certain applications and lock down any windows settings changes. Users login in restricted accounts & they can't run MSN, Yahoo messenger, Limewire etc.

I use firewall policies as well but I found things like MSN, Yahoo are extremely difficult to block with simple firewall rules as they use a variety of ports.

I also run a squid proxy with a blacklist of certain timewasting sites eg Hotmail, sanook etc etc. They can only access them during lunch hours now :o

Link to comment
Share on other sites

P2P blocking is tricky. Some of the protocols have been especially designed to evade signature-based detection. The various 'P2P blocker' modules I've tried (for Linux-based firewalls) have given me mixed results. Bittorrent is a reasonably easy target but Skype, for example, a major bandwidth eater, is almost impossible to reliably detect and block.

I personaly think that the best approaches are:

1) block everything and force people to go through a proxy. I really mean everything including port 443. Skype can work with only this port open.

or:

2) force people to authenticate when accessing the Internet and keep an accounting of the traffic they generate, then manage bandwidth hogs according to your company's policies (public humiliation: having to walk the office corridors with a sign around his neck, getting a slap in the face, need to pay a few rounds of beer to coworkers, whatever :o )

I concur that IPCop is a good platform for this kind of approach. Other possible choices are M0n0wall, pfSense.

--Lannig

Link to comment
Share on other sites

The big problem with IPcop is finding a ADSL modem that it will work with. I looked long and hard and could not locate one in Thailand or even Australia. That was several months ago.

If you know of a location to buy one here, please post it! I loved IPcop when we were on dialup and really miss having it for analyzing and monitoring the way the users in the office use (abuse) our Internet connection.

Peter

IPcop

http://www.ipcop.org/

With the layer 7 blocker addon from here

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.151

or P2P blocker

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.160

All free, you just need to supply your own low(ish ) spec pentium II or III PC

download and set it all up ( admitedly not so easy but Kerio isn't easy either IMHO )

But you'll have an industrial strength firewall for very little outlay.

Link to comment
Share on other sites

The big problem with IPcop is finding a ADSL modem that it will work with. I looked long and hard and could not locate one in Thailand or even Australia. That was several months ago.

What would be the problem making IPcop work with an Ethernet ADSL router, specifically? Not that I have any first-hand experience of such a configuration, but I can't quite see what the problem would be? Your IPcop box with 2 LAN cards, one goes to the router, the rest serves the LAN.

--Lannig

Link to comment
Share on other sites

There should be no problem to get IPcop working with an ethernet modem/router..AFAIK they will all work. It would be better to put the router into bridging mode so as to avoid a double NAT situation ( although double NAT works ok for most thngs )

The D-Link DSL210 USB modem ( Conexant chipset ) works perfectly fine for me here in Thailand ( Supplied by TT&T but I've seen it for sale in Tukcom Pattaya) ..and the Speedtouch USB " Green Frog" supplied by BT is still working fine on an IPcop I setup in England about 4 years ago.

post-2109-1156848578_thumb.jpg

Link to comment
Share on other sites

The problem is that the restriction on accessing the WAN side of Ipcop from the LAN side makes configuring/monitoring the router and troubleshooting Internet problems a real headache. In the end I decided it was not worth the effort.

Peter

The big problem with IPcop is finding a ADSL modem that it will work with. I looked long and hard and could not locate one in Thailand or even Australia. That was several months ago.

What would be the problem making IPcop work with an Ethernet ADSL router, specifically? Not that I have any first-hand experience of such a configuration, but I can't quite see what the problem would be? Your IPcop box with 2 LAN cards, one goes to the router, the rest serves the LAN.

--Lannig

Link to comment
Share on other sites

Hi John,

See my reply to Lannig about using a router. I'm not saying it can't be done - I just got fed up with it particularly trying to troubleshoot Internet connection problems. A modem is so much cleaner. I will look for that Dlink modem although I just found out that due to my employer moving to Bangkok I may be out of a job soon - I wanted IPcop for the office, not for home. Can you confirm that the The D-Link DSL210 worked with IPcop?

Peter

There should be no problem to get IPcop working with an ethernet modem/router..AFAIK they will all work. It would be better to put the router into bridging mode so as to avoid a double NAT situation ( although double NAT works ok for most thngs )

The D-Link DSL210 USB modem ( Conexant chipset ) works perfectly fine for me here in Thailand ( Supplied by TT&T but I've seen it for sale in Tukcom Pattaya) ..and the Speedtouch USB " Green Frog" supplied by BT is still working fine on an IPcop I setup in England about 4 years ago.

post-2109-1156848578_thumb.jpg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...