Hello,
Can anyone recommend an appliance that runs Linux and does: -packet shaping to throttle p2p traffic -authentication (ldap or other way of needing people to log in with ID and pass in order to gain Internet access) with ability to -MAC filtering to let people through (bypass authentication) or block people -firewall -web admin interface
Montana Quiring montanaq@gmail.com wrote:
Hello,
Can anyone recommend an appliance that runs Linux and does: -packet shaping to throttle p2p traffic -authentication (ldap or other way of needing people to log in with ID and pass in order to gain Internet access) with ability to -MAC filtering to let people through (bypass authentication) or block people -firewall -web admin interface
Firewall-oriented distros such as IPCop and Smoothwall probably do much of what you're looking for. I believe the latter is available in appliance form if you didn't want to throw together an old PC.
I use pfSense, which is FreeBSD-based, but is otherwise similar to the Linux versions mentioned above. All have fairly easy setup, with web-based admin interfaces. pfSense does have traffic shaping and a captive portal (e.g. log in first) option, I believe RADIUS and web-admin-defined users are supported. Not sure if the Linux distros do the shaping and portal options, it's been a while since I used them.
MAC filtering should be seen as a convenience only, as it provides no real added security. If you can see successful traffic passing on the wire, you can spoof your own MAC to match. Either way, I don't recall if it's an option in the web interfaces, but you can always muck with lower-level settings in the shell if it isn't.
Cheers, Tim
Tim,
Thanks for all the tips. I should add this this box will need to handle as many as 400 connections.
99.9% of the users won't know how to change their MAC address. The MAC filter is basically just to get their attention. :)
-Montana
On Thu, May 14, 2009 at 10:10 AM, Tim Lavoie tim@fractaldragon.net wrote:
Montana Quiring montanaq@gmail.com wrote:
Hello,
Can anyone recommend an appliance that runs Linux and does: -packet shaping to throttle p2p traffic -authentication (ldap or other way of needing people to log in with ID
and pass
in order to gain Internet access) with ability to -MAC filtering to let people through (bypass authentication) or block
people
-firewall -web admin interface
Firewall-oriented distros such as IPCop and Smoothwall probably do much of what you're looking for. I believe the latter is available in appliance form if you didn't want to throw together an old PC.
I use pfSense, which is FreeBSD-based, but is otherwise similar to the Linux versions mentioned above. All have fairly easy setup, with web-based admin interfaces. pfSense does have traffic shaping and a captive portal (e.g. log in first) option, I believe RADIUS and web-admin-defined users are supported. Not sure if the Linux distros do the shaping and portal options, it's been a while since I used them.
MAC filtering should be seen as a convenience only, as it provides no real added security. If you can see successful traffic passing on the wire, you can spoof your own MAC to match. Either way, I don't recall if it's an option in the web interfaces, but you can always muck with lower-level settings in the shell if it isn't.
Cheers, Tim
-- "Programming is like sex: one mistake and you have to support it for the rest of your life." -Michael Sinz
Montana Quiring montanaq@gmail.com wrote:
Tim,
Thanks for all the tips. I should add this this box will need to handle as many as 400 connections.
99.9% of the users won't know how to change their MAC address. The MAC filter is basically just to get their attention. :)
Heheh. You're quite welcome. You're right, the filtering will take care of most people. As for number of connections, I think you would still do fine with modest hardware. They do have a sizing guide on the site, based on expected bandwidth and some other features used such as VPN. I would add that memory requirements should take add-on apps into account, for example you can set up snort and squid there too from available packages. Still, you can scale nicely if you can use a slightly-less-old system.
Just to update, pfSense does support pass-through lists for MAC addresses and source or destination IP addresses. Per-user throttling, session durations etc. can also be configured, though a max session length will apply to MAC-whitelisted connections as well.
They (pfSense) don't directly offer an appliance, but do offer commercial support. Recommended hardware vendors are listed, some with pfSense pre-installed, here:
http://www.pfsense.org/index.php?option=com_content&task=view&id=44&...
On Thu, May 14, 2009 at 09:28, Montana Quiring montanaq@gmail.com wrote:
Can anyone recommend an appliance that runs Linux and does: -packet shaping to throttle p2p traffic -authentication (ldap or other way of needing people to log in with ID and pass in order to gain Internet access) with ability to -MAC filtering to let people through (bypass authentication) or block people -firewall -web admin interface
Astaro (http://www.astaro.com, http://www.astaro.ca is a reseller) provides their software in an appliance form-factor now. I'd evaluated their product quite a few versions ago, and it looked solid. AFAIK it has everything you need.
-
Adam Thompson -
Montana Quiring -
Tim Lavoie