Network Filtering, Testing

Filtering

These days we must filter our internet, filter our email, and even filter our TV watching! I suspect it is just going to get worse.

To filter your TV there is Protec TV, TVGuardian and Sanyo VCR's and DVD players.

To filter your email, if you have a Linux mail server you can use Qmail-Scanner, or Spam Assassin.

To filter your web there is a Websafe router or a linux router with Squid Guard or Dan's Guradian.

Filtering Television

To filter your TV there are now three options, some Sanyo VCR's and DVD's, or ProtecTV and TVGuardian. Protec TV has only one setting that will block a lot of words that an adult may find unnecessary. Protec TV also only works with closed captioning on or off. TVGuardian has both strict and moderate settings, and hence is the better choice. TVGuardian also supports a popup closed captioning with substituted words to replace the lost dialog when it is censoring

Now there is a new option for filtering your TV/VCR/DVD. Sanyo has started installing a TVGuardian inside of some of their units. I have purchased a SANYO DVW-7000, it is a combination DVD, VCR and TVG Filter. The filter has three settings strict, moderate, and tolerant. Then there are word group settings for religous terms, Damn and Hell, and Sexual References. Also the all-in-one design eliminates using three boxes and three remotes! For the TV to be filtered you need to use your video inputs and leave the TV on its video input setting.

Language filters use the Closed Caption information to detect swear words so they may not work if the program is not closed captioned or if the text is not aligned with the words being spoken. The TVGuardian can be set to pop up the closed caption text when it edits a sentence. The filtered words are then replaced with more suitable text.

Qmail-Scanner

Some spammed email is down right disgusting! Nude pictures are accompanied with a warning that you must be 18 years of age to view these pictures. Too late, but do they care? Of course not! We use a N2H2 filter but these people create a web page then spam it out to everybody before the filter can stop it. I submit the site to N2H2 but it is a week or two before it is blocked. Somehow I had to find a faster method.

Note: We have since upgraded to Dans Guardian as our filter. It is more effective because it is a 2 level filter and it is FREE! First it blocks the known bad sites, then it examines each allowed page for bad text and blocks it on the fly. It blocks this page of my website every time! This two level approach is fine except for sites that do not have bad text. When they send an email they only link to one page of their site and it usually does not get blocked. So every day or two I have to add a site to the list of bad sites to stop the email pictures from coming through.

If you use a Linux server with Qmail you can add a program called Qmail-Scanner. It can easily be modified to block these sick email's as well as many virus's that use attachments. There is a sample of how to block attachments ending in .exe in the control file that is called "quarantine-attachments.txt". Just follow that example but remember that the records are tab not space delimited.

.exe 0 Attachments ending in .exe are not allowed .com 0 Attachments ending in .com are not allowed .bat 0 Attachments ending in .bat are not allowed .scr 0 Attachments ending in .scr are not allowed .pif 0 Attachments ending in .pif are not allowed .hta 0 Attachments ending in .hta are not allowed .bas 0 Attachments ending in .bas are not allowed

Then to block the sick emails there are examples but they are not very clear. First the phrase to look for needs to start with a .* and end with a .* unless you want to type the entire subject line. The phrase is case sensitive and watch out for the supstitutions like 1 for the letter i. Usually I will forward the offensive email to myself to make sure it is blocked.

.*v1agra.* Virus-Subject: Viagara Spam .*the size of your.* Virus-Subject: Viagara Spam .*the smallness of your.* Virus-Subject: Viagara Spam .*ERECTIONS.* Virus-Subject: Viagara Spam .*Girlfriend will thank you.* Virus-Subject: Viagara Spam .*Toronto Pharmacy.* Virus-Subject: Viagara Spam .*SEXUALLY EXPLICIT.* Virus-Subject: Disgusting Spam .*SEXUALLY-EXPLICIT.* Virus-Subject: Disgusting Spam .*weightloss available .* Virus-Subject: Weightloss Spam DealsoFall Virus-From: Spam DVDCopyWorks Virus-From: Spam bonanzacafe.biz Virus-From: Spam

IPCop Linux Router

Several years ago, a young relative set us up with a Linux Router. I have tried for years to set one up myself. Sometimes the computer would not boot, but even if I was able to get everything else working it would not work as a router! I had tried Red Hat Linux, Smooth Wall, Live CD, a Floppy based CD router, and I had read several books and manuals over an inch thick to no avail. Then I discovered "IPCop". My first attempts met with the same fate as before. Then I tried using two different network cards to make it easier to tell what was the local connection and what was the internet connection. Guess what? It worked on the first try! The combination was a 3Com 336 card and an Intel 558 card. I have repeated the earlier setup with two 3Com's and it will not work, but that mixture will work every time. When one of our routers died for the second time on a friday, by monday afternoon I had replaced it with IPCop. IPCop can be reinstalled in less than 30 minutes including DansGuardian.

Link to IPCop's website IPCop's documentation is very good but just in case I though I would create my own. The real problem is their documentation on adding addons like Dan's Guardian and Squid Guard. Dans Guardian now works with addons 2.2 and it does not have to be configured, just install it and it starts working!

Installing IPCop

Download the ISO file and burn a CD from the ISO Image file.

Boot the soon to be server from the CD you made.

Type in "Nousborpcmcia" to start installing IPCop.

Press "enter" about 5 times.

Select "Skip" to skip floppy configuration.

Select "Probe" to find the first network card.

Enter an IP address of 192.168.1.1

Select "US" and "EST" for Eastern Standard time.

Select "IPCop" for machine name and "Enter" for Domain.

Select "Disable" for the ISDN screen.

For Network Type select "Red and Green".

For Drivers and Cards Select "Probe" and assign the card to "Red".

For Address Settings Select "Red", and enable "DHCP".

Set the IP Range to 192.168.1.10 to 192.168.1.254 and Select "OK"

Enter your password(S) about 4 times and press "OK" to restart.

Installing Addons on IPCop 1.4

Download Addons-2.2 from firewalladdons.sourceforge.net

Save Addons-2.2 to a CD ROM

Note: in Linux you type "addons" and press tab to get the rest.

At the server do the following;

Put the Addons CD into the CD ROM drive.

Mount the CD "mount /dev/cdrom"

Change to the CD "cd /mnt/cdrom"

List the CD contents "ls"

You should see the addons-2.2 file listed as on the CD.

Copy the file to root "cp addons[tab] /"

Change to the root "cd /"

Uncompress the files "tar zxvf addons[tab]"

Change to addons directory "cd /addons"

Install addons "./setup -i"

Installing Cop+ (DansGuardian) on IPCop 1.4

At a computer on the server's network;

Download Cop+ from firewalladdons.sourceforge.net (Sorry they moved it!)

Log into the server at HTTP://192.168.1.1:81/

From the Addons tab on the far right select "addons".

Scroll down to "install new addon"

Browse to the Cop+ file you downloaded.

Select "Upload" and wait a long time

Refresh the screen, you will see the filter under "Services".

Some other "Services" you may want to modfy are;

Select "Services", "Intrusion Detection"

Enable on Red

Enable on Green

Select "Save"

Select "Services", "Proxy Server"

Enable on Green

Transparent on Green

Log Enabled

Select "Save"

IpCop version 1.48 with addons 2.3 and DansGuardian 2.8 (as Cop+) all work together! There is a catch however. During boot up the screen will print garbage all over the place and then hang for about 5 to 10 minutes. Even though it looks like it has crashed it is actually still loading DansGuardian. It is worth the wait, the new version of DansGuardian has filters for google, yahoo, and dogpiles images! You do not need to disable images.google.com anymore. Also the new version of IPCop is much more resistant to internal virus's. Our students come with dozens of virus's that will shut down the network every other day. With the new version it has run over 3 days with no problems.

Another issue is Limewire/Gnutella traffic. You tell the students not to download copyrighted material but they keep doing it. Here is a line of code to type in on the IPCop computer to filter out Limewire. After logging in type "iptables -A FORWARD -p tcp --dport 6346 -j REJECT". Remember that Linux is case sensitive. If that does not work because they managed to reconfigure limewire to use another port you can try this "iptables -A FORWARD -p tcp -m string --string "GNUTELLA CONNECT" -j REJECT.

This is a diagram of a typical network setup with about 250 connections to the network.