Results 1 to 10 of 10

Thread: Locking down my network

  1. #1
    Join Date
    Dec 2008
    Location
    Montana, USA
    Posts
    603

    Default Locking down my network

    My network consists of 2 desktops and 1 laptop running Leap 15.2, two laptops running Windows, three HP printers and the usual smartphones using both ios and android. I want to lock down my network so that access to facebook, twitter and some more sites are absolutely not available to any of the devices. I'd also like it if my printers weren't telling HP about how many pages I'm printing.

    My Asus router has the option to lock out some sites that use HTTP, but not any that use HTTPS. So that doesn't work.

    I am looking at Squid as it seems like it may work. But, I'm confused as how to set it up. Do I need another computer that would handle all the traffic going from my network to the internet? Would it do what I want? Where on my system would it reside? I don't necessarily need to log all network access like seeing who goes where and for how long although it might be nice to verify that so packets are going to places I don't want them to go.

    Is there another option that would work?

    I just know this has to be possible, I just have no idea how.

    Bart

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    29,832
    Blog Entries
    15

    Default Re: Locking down my network

    Quote Originally Posted by montana_suse_user View Post
    My network consists of 2 desktops and 1 laptop running Leap 15.2, two laptops running Windows, three HP printers and the usual smartphones using both ios and android. I want to lock down my network so that access to facebook, twitter and some more sites are absolutely not available to any of the devices. I'd also like it if my printers weren't telling HP about how many pages I'm printing.

    My Asus router has the option to lock out some sites that use HTTP, but not any that use HTTPS. So that doesn't work.

    I am looking at Squid as it seems like it may work. But, I'm confused as how to set it up. Do I need another computer that would handle all the traffic going from my network to the internet? Would it do what I want? Where on my system would it reside? I don't necessarily need to log all network access like seeing who goes where and for how long although it might be nice to verify that so packets are going to places I don't want them to go.

    Is there another option that would work?

    I just know this has to be possible, I just have no idea how.

    Bart
    Hi
    OpenDNS, AFAIK you can create your own block/allow lists https://www.opendns.com/home-internet-security/ I run pihole https://pi-hole.net/ (two servers on RPi3's, not docker, Leap and SLES and using openDNS servers) here and can block/allow as required on the fly...
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Dec 2008
    Location
    Montana, USA
    Posts
    603

    Default Re: Locking down my network

    Looking at pi-hole, and assuming I want the entire network protected, it seems there is a program (a dhcp or dns server?) that must be running for it to work. As I want the system to work even if my computer is off, that means the dhcp server must be installed on a device that is always on, correct? Would it be advisable to use my file server (Leap 15.2 headless server - always on) or should I add another dedicated device specifically for this service?

    What about updates? pi-hole does not seem to have a repository on opensuse's list.

    It seems pi-hole comes with a built in list of sites to block ads and that would be nice as I would only need to add blocking for my pet peeves. What about tracking sites?

    Do I understand that I can not ssh to another machine using it's network name? example:
    Code:
    ssh PDP-11 -lmyname
    But I could still us the ip address example:
    Code:
    ssh 192.168.2.34 -lmyname
    Bart

  4. #4
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    22,264
    Blog Entries
    1

    Default Re: Locking down my network

    Quote Originally Posted by montana_suse_user View Post
    Looking at pi-hole, and assuming I want the entire network protected, it seems there is a program (a dhcp or dns server?) that must be running for it to work. As I want the system to work even if my computer is off, that means the dhcp server must be installed on a device that is always on, correct? Would it be advisable to use my file server (Leap 15.2 headless server - always on) or should I add another dedicated device specifically for this service?

    What about updates? pi-hole does not seem to have a repository on opensuse's list.
    Use a raspberry pi?
    openSUSE Leap 15.2; KDE Plasma 5

  5. #5
    Join Date
    Jul 2018
    Location
    Loma Linda, Mo
    Posts
    367

    Default Re: Locking down my network

    I use pi-hole on two Raspberry Pi 4 w/8gb ram running Loboris's Ubuntu 10.04 - Everything works and the Pi uses 3.5 watt 5v power supply. I have the local PC's in the /etc/hosts file. It does seem to remove most of the unwanted ads on web browsing. I have one as the primary attached to OpenDNS and the backup attached to 1.1.1.1 DNS.

    I have 2 Pi 4's - it would fit on a 2gb Pi 4 fine but I would suggest a 4gb minimum Pi 4 - Mine are Canakits. I recommend getting the starter kit and the optional USB power switch and a spare fan.

    Link to Loboris's Ubuntu image https://www.raspberrypi.org/forums/v...f=131&t=279323
    Opensuse 15.2 with VirtualBox VM's (XP, 10 & OpenSUSE 15.0)
    Pi4 with Ubuntu MATE 20.04
    Unix since 1974 (pdp-11 in "B" , Interdata 7/32 in "C") (AT&T, Tandy, Convergent, IBM, NCR, HP flavors)
    Linux since 1995 (mandrake, redhat, fedora, centos, now OpenSUSE)

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,888
    Blog Entries
    2

    Default Re: Locking down my network

    For only 3 machines and phones, I think you want a solution that involves as little work as possible.
    First thing to ask is how technically sophisticated the Users are... If you put a block in place, how likely would it be that one of your Users will be able to figure out what is happening and how to get around your measure?
    Other major issue is that of course the phones can connect to the Internet on their own, is that an issue for you? And if that someone thers their machine and maybe other machines to the phone, is that a problem for you?

    Next usual question and it always applies no matter the size and who s on the network, consider non-technical solutions... A business for example should have employees sign a Use of Company resoursources contract or agreement, signed. A family situation might handle this informally, but still explore whether simply informing them their Iternet usage will be monitored for violations might be sufficient.

    As for technical solutions...
    If you have control of the DNS used whether it's in your router or a service like OpenDNS or another machine you set up, you can either blacklist (block) or redirect (send the User elsewhere) any URLs. Yes, people can always connect by IP address but most people find that onerous. Still, if you have to block by IP address, then look for a solution that can do that.

    Squidd is one example of a proxy firewall based solution.
    It's a special type of firewall that does reasonable packet inspection and can filter and then do something according to what is in the packet.
    Persoally, I'd consider that a bit of overkill for a small network like what you describe, there are probably other solutions more suited for tiny networks.

    One thing you can look for is "Nanny software" or "Parental controls." Whether those terms describe your actual situation or not, they describe a type of software that's usually easy to install and does basic filtering. Some are services (You direct your traffic through their servers) or they might require installation of a web browser plugin or application.

    Hope those are some ideas you can work with,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Dec 2008
    Location
    Montana, USA
    Posts
    603

    Default Re: Locking down my network

    Quote Originally Posted by tsu2 View Post
    For only 3 machines and phones, I think you want a solution that involves as little work as possible.
    First thing to ask is how technically sophisticated the Users are... If you put a block in place, how likely would it be that one of your Users will be able to figure out what is happening and how to get around your measure?
    I doubt that anyone on my system would be able to do that.

    Other major issue is that of course the phones can connect to the Internet on their own, is that an issue for you? And if that someone thers their machine and maybe other machines to the phone, is that a problem for you?
    I can't see that happening on my system


    Next usual question and it always applies no matter the size and who s on the network, consider non-technical solutions... A business for example should have employees sign a Use of Company resoursources contract or agreement, signed. A family situation might handle this informally, but still explore whether simply informing them their Iternet usage will be monitored for violations might be sufficient.

    As for technical solutions...
    If you have control of the DNS used whether it's in your router or a service like OpenDNS or another machine you set up, you can either blacklist (block) or redirect (send the User elsewhere) any URLs. Yes, people can always connect by IP address but most people find that onerous. Still, if you have to block by IP address, then look for a solution that can do that.

    Squidd is one example of a proxy firewall based solution.
    It's a special type of firewall that does reasonable packet inspection and can filter and then do something according to what is in the packet.
    Persoally, I'd consider that a bit of overkill for a small network like what you describe, there are probably other solutions more suited for tiny networks.

    One thing you can look for is "Nanny software" or "Parental controls." Whether those terms describe your actual situation or not, they describe a type of software that's usually easy to install and does basic filtering. Some are services (You direct your traffic through their servers) or they might require installation of a web browser plugin or application.

    Hope those are some ideas you can work with,
    TSU
    Everything you said is absolutely valid, but a large part does not apply in my particular case. I can see that I should have explained exactly what I'm looking for and I didn't do that.

    I have this "Thing" about facebook and all the rest of so called social media. I don't want my ip address associated or recorded or tracked by any of these places. Now, obviously I can't insist that friends who come over to my place and ask to use my wifi connection install an ap on their phone. They usually want to use a weather ap or show me something on a web page or the like. I do NOT want them over in the corner poking around on facebook! Besides, I'd like it if the web pages I visit did not load the facebook icons and all. UBlock origin shows me that one of the sites I visit connects to facebook.net and everything I've tried will not get it to block that site.

    So, I can live with installing anti tracking stuff on my machine but I really want to block social media.

    Bart

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,888
    Blog Entries
    2

    Default Re: Locking down my network

    Recommend
    Re-inspect what your home router can do
    It's highly unlikely that it can filter http but not https to the same URL.
    If you have guests over, then many home routers support a Guest network, which is typically simply configuring a firewall zone for those Users. Look for that on your home router, and you should be able to apply rules to only that zone.

    A service based nanny software would probably be the easiest to set up, but you can also modify your DNS... If you deploy your own solution that's not in your router, then yes... you'll need to deploy an "always on" device which can be a full sized machine or an embedded computing device like an RPi, arduino or an commercial device.

    If you deploy your own solution...
    Deploying squid is probably the ost robust type solution... Most options, hardest to work around,. There may be simpler alternatives for small networks.
    DNS. You can set up your own DNS and "poison" any Domains you want to block... redirecting to localhost or a page of your choice. Although services like OpenDNS can be an option, it's also possible to just install Berkeley DNS on a local machine and manage it yourself.

    The above are non-invasive ways to block or redirect without installing on devices used by your friends. Won't get into solutions that install or configure longerlasting changes to each device.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9

    Default Re: Locking down my network

    Quote Originally Posted by montana_suse_user View Post
    My network consists of 2 desktops and 1 laptop running Leap 15.2, two laptops running Windows, three HP printers and the usual smartphones using both ios and android. I want to lock down my network so that access to facebook, twitter and some more sites are absolutely not available to any of the devices. I'd also like it if my printers weren't telling HP about how many pages I'm printing.

    My Asus router has the option to lock out some sites that use HTTP, but not any that use HTTPS. So that doesn't work.

    I am looking at Squid as it seems like it may work. But, I'm confused as how to set it up. Do I need another computer that would handle all the traffic going from my network to the internet? Would it do what I want? Where on my system would it reside? I don't necessarily need to log all network access like seeing who goes where and for how long although it might be nice to verify that so packets are going to places I don't want them to go.

    Is there another option that would work?

    I just know this has to be possible, I just have no idea how.

    Bart
    What you want is a local DNS resolver which will allow you to create a DNS firewall (sinkhole) that blocks DNS resolution of unwanted IP addresses. Bind is the traditional *nix resolver, but it is bloated and stupid complicated...not recommended. Unbound, website here, is a far better choice. There are two methods in unbound to block IP resolution but the preferred method, Response Policy Zones (RPZ), is not available in unbound v1.6 in the Leap 15.2 repos, however, unbound 1.12 is available in the Tumbleweed repo here with a build for Leap 15.2 that works fine and supports RPZ (I use it). A DNS resolver will only help with wired/wireless devices on you LAN. Cell phones can always use their radios for DNS resolution even if connected to a LAN.

    As for implementation, you can setup one system to provide DNS services on your LAN but this requires that the chosen system is always running. Alternatively, a small DIY single board computer like Raspberry Pi can do the job without the drain on the electric bill.

    DNS block lists can be created from hosts block lists available on the web.

    Before you try your own DNS resolver you will need to be resonably knowledgeable on how DNS works and there is no lack of information and misinformation on the web. Documentation for DNS resolver packages assume a substantial working knowledge of DNS. You've been warned. ->

    Unbound is quite simple to use but difficult if you are not DNS knowledgeable, the documentation is particularly spartan for a novice (even pros).

    If you are using Network Manager be aware that there is no accurate documentation of proper setup to work with unbound which has to do with resolv.conf.

    I will be posting a howto for unbound on opensuse in the near future as I have recently worked out the kinks - it is simple.

  10. #10
    Join Date
    Dec 2008
    Location
    Montana, USA
    Posts
    603

    Default Re: Locking down my network

    Quote Originally Posted by fosdex View Post
    What you want is a local DNS resolver which will allow you to create a DNS firewall (sinkhole) that blocks DNS resolution of unwanted IP addresses. Bind is the traditional *nix resolver, but it is bloated and stupid complicated...not recommended. Unbound, website here, is a far better choice. There are two methods in unbound to block IP resolution but the preferred method, Response Policy Zones (RPZ), is not available in unbound v1.6 in the Leap 15.2 repos, however, unbound 1.12 is available in the Tumbleweed repo here with a build for Leap 15.2 that works fine and supports RPZ (I use it). A DNS resolver will only help with wired/wireless devices on you LAN. Cell phones can always use their radios for DNS resolution even if connected to a LAN.

    As for implementation, you can setup one system to provide DNS services on your LAN but this requires that the chosen system is always running. Alternatively, a small DIY single board computer like Raspberry Pi can do the job without the drain on the electric bill.

    DNS block lists can be created from hosts block lists available on the web.

    Before you try your own DNS resolver you will need to be resonably knowledgeable on how DNS works and there is no lack of information and misinformation on the web. Documentation for DNS resolver packages assume a substantial working knowledge of DNS. You've been warned. ->

    Unbound is quite simple to use but difficult if you are not DNS knowledgeable, the documentation is particularly spartan for a novice (even pros).

    If you are using Network Manager be aware that there is no accurate documentation of proper setup to work with unbound which has to do with resolv.conf.

    I will be posting a howto for unbound on opensuse in the near future as I have recently worked out the kinks - it is simple.
    Sounds like just what I'm looking for. I'll be watching for your howto and, if you'd like, will PM you with my experience to help smooth out any areas I had problems with,

    Bart

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •