From owner-freebsd-questions Mon Oct 8 10: 6:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail2.mediadesign.nl (md2.mediadesign.nl [212.19.205.67]) by hub.freebsd.org (Postfix) with SMTP id 27A5637B40B for ; Mon, 8 Oct 2001 10:06:25 -0700 (PDT) Received: (qmail 23091 invoked by uid 1002); 8 Oct 2001 17:06:16 -0000 Date: Mon, 8 Oct 2001 19:06:16 +0200 From: Alson van der Meulen To: FreeBSD Questions Subject: Re: Network -> Internet Filtering Message-ID: <20011008190616.D24409@md2.mediadesign.nl> Mail-Followup-To: FreeBSD Questions References: <3BBFA1BB.83DE94D7@uwi.tt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3BBFA1BB.83DE94D7@uwi.tt> User-Agent: Mutt/1.3.22i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Oct 06, 2001 at 08:28:43PM -0400, Dale Chulhan - Home wrote: > I currently have several labas at a school attached to one interface of > my checkpoint firewall and I was wondering the following: > > 1) What's the best method to automatically deny an ip address access > from the internet when certain keywords are matched > 2) How can I limit groups of sites by time? > 3) How can I filter content by type ( say .mp3, .pdf etc.... ) by time > and group? > 4) How can I filter downloaded file sizes by type by time and group? Download sizes is the only thing you can't control AFAIK, only the max size of files the proxy will _cache_. But just limitting bandwidth to some low value per IP should prevent large downloads ;) > 5) How can I throttle bandwitdh on a per IP basis? Have a look at the 'oops' proxy server (/usr/ports/www/oops). The only way to do filtering on HTTP level is running a proxy server (possibly transparant) and _not_ NATting HTTP traffic. Oops' ACLs can match by time, url regular expresion, port, destination domain, destination domain regexp, source ip and time. You can combine multiple ACLs in a acl_deny statement. IIRC, squid can also do these things, except bandwidth limitting. You could also throttle bandwidth using dummynet, though I'm not sure if you can control _per IP_ bandwidth with dummynet. -- ,-------------------------------------------. > Name: Alson van der Meulen < > Personal: alson@flutnet.org < > School: alson@gymnasiumleiden.nl < `-------------------------------------------' hey, what does mkfs do? --------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message