General Questions

I would like to do URL filtering on my m0n0 "secured" network.  Is this something m0n0 can do, or is it possible to foward all HTTP traffic from m0n0 to another box or ....

Any tips, advice are welcome.



dirk.

Monowall is not able to do URL filtering and is only able to redirect ports (ie.g. incoming NAT) when the packets are destined for the interface address.  You can do some web site blocking by creating a dummy DNS entry for the sites you want to block.  If you want something more advanced, consider looking at Squid caching proxy server.  It can operate transparently if you want and combined with squidguard or dansguardian provides powerful controls for filtering and restricting internet access.

It has been mentioned elsewhere on this forum and I recently tried it out with success: have a look at OpenDNS (http://www.opendns.com/). By configuring m0n0wall to use their DNS servers instead of the ones provided by your ISP, you can manage access to Websites individually and in groups.

Yes, OpenDNS will work to the degree it can.

But unless you prevent users from running their own resolvers, OpenDNS won't even be in the game.

I know that I can't do this with "just" m0n0.  And probably there will be some kind of transparant proxy needed and this in combination with a tool like Squidguard or Dansguard.

As this is not something simple out-of-the-box and as we need a little more then 'just' the URL filtering I'm willing to pay somebody that can create me a document with all the need configuration/software/....
The scope of what we need is on Rent-a-coder, you can view the project via http://www.rentacoder.com/RentACoder/misc/BidRequests/ShowBidRequest.asp?lngBidRequestId=891607 and if you're interested you can place your bid on it.  That way you don't have to answer me for free :-)


dirk.

But unless you prevent users from running their own resolvers, OpenDNS won't even be in the game.

Just add a LAN rule to block any TCP/UDP packets to port 53 that's the destination is not to 208.67.222.222 or 208.67.220.220 then fire anyone who finds another way to get around this solution.   

CS...

Sorry gentlemen,

any body is sure that this OPENDNS is a thrustable site ?
They can redirect to a their own proxy and catch passwords that are sent to the INTERNET ... or I'm wrong ?

Sorry gentlemen,

any body is sure that this OPENDNS is a thrustable site ?
They can redirect to a their own proxy and catch passwords that are sent to the INTERNET ... or I'm wrong ?

It's trustworthy. Technically they could give you back incorrect DNS responses, but DNS isn't the most secure thing to begin with. Anything sensitive should go over an encrypted channel such as HTTPS, which can't be hijacked (without the user accepting a certificate error at least).

I use and recommend OpenDNS for content filtering, it's a nice service.

I also use openDNS without any problems.  You could also look at a virtual appliance for the Squid if you are interested.  Not a transparant one, but this one from the VMware site has squid, dansguardian, clamAV and SARG already built..