Skip to main content

Open Source Gateway, Content Filtering and Firewall for School

We have just switched broadband providers and hit a problem that the content filtering that they provided remotely did not really meet our needs. There main issues were with WiFi, BYOD devices and number of proxy exceptions needed to make Google Apps work.

  • For BYOD, users had to input the proxy and an unrealistic number of exceptions.
  • Our WiFi system did not work correctly with the content filter.
  • Without a load of exceptions, Google Docs did not work correctly on any device and as we use Google Apps this was sort of important.

This forced me to look at alternative solutions. We had been using ClearOS 5.2 for DNS and a few other things for some time and a knew it could do content filtering. So I setup a test VM (running on ESXi) of ClearOS 6.4 Community. The content filter on this seemed to work well and the proxy ran in transparent mode - so no pesky proxy settings or exceptions.

For a production system, more system resources were needed. This involved buying a dedicated (at least for now) box to run Clear OS 6.4 Professional on. This box currently has 8Gb and runs a hex core Xeon processor on an ESXi 5.1 platform. Clear OS Professional works by a subscription at various levels. We went for the basic level that gives content filter updates, software updates, antivirus update and so on. Was only $260 a year. Much less than other commercial systems.

Its early days - but the system seems to perform well on a 200Mb leased line with several hundred concurrent users. Offsite access for staff is given via the 1 to 1 NAT plugin that maps an external IP address to a local terminal server.

Some screen shots

Dashboard - show load on the system and resources used. There is also a real-time bandwidth monitor.
Filtering - there are a wide range of filtering options. There are configurable Blacklists and Phrase lists and well as exceptions and banned sites. You can also block the download of certain types of file extensions if you want. The overall sensitivity of the system is also configurable.
Web Proxy - we have this configured to transparent so that no proxy settings are needed. You can configure the system cache that speeds up access to frequently visited sites. You can also set bypasses for IP addresses - we have a couple of machines that need to go straight out to the net.

There is lots more you can do. For example, there is an active directory plugin than then allows you to set filtering levels by AD security group membership. This is a paid for extension so have not go there yet.

For us - at least at least at the moment, it seems to work well, allows everything to work as it should and does not cost the Earth (or nothing at all - but you do need to pay if you want filter updates).

In terms of installing it - if you run ESXi (you will need internal and external Vnics configured) its really fairly straightforward. There are some online guides, but essentially you will need two NICs. One for the internet and one connected to your internal network. You will also need IP/DNS settings from your ISP to configure the outward facing NIC. Once you have setup the networking, you can browse to the server at https://ipaddress(or DNS name)of server:81 login and it will take you through the rest.

Might post more details when I have time.

Update: we have found for good performance under load that we had to turn off the squid proxy disk cache. This can be done by putting in the line:
deny cache all
into the the squid.conf file. You can also delete reference to the location the the squid cache.

Your need to do this will depend on the number of users and the speed of your local disks.





Labels:

Comments

  1. James Simpson17 May 2013 at 15:15

    Out of interest, do you mind telling me which ISP and filtering you went with? I'm the Network Manager at another Oxfordshire school, and we're potentially looking at the same situation.

    ReplyDelete
    Replies
    1. Roger Nixon17 May 2013 at 22:23

      We have our broadband with Capita. They can provide Openhive which we ditched fairly quickly - their brand of Netsweeper. We just use ClearOS atm.

      Delete

Post a Comment

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf...
Post a Comment
Read more

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else! Steps in order (roughly) Add the new domain Verify the new domain Add MX records to hosting Add SPF record for Google to hosting Turn on email authentication Add DMARC record to hosting Setup custom Directory and restrict students OU to this. Create an admin quarantine for the domain. Configure SPAM setting for the domain. Turn on and off services as appropriate. Map a blank Google Site to the naked domain - if required. Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions. Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console: Add/remove domains followed by "add a domain" At this...
Post a Comment
Read more

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv grou...
Post a Comment
Read more