ClearOS
網卡不能隨便改ip,否則程式會不正常,得重灌。
利用 custom firewall 來打開接受 ping 、snmp 等功能。
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 163.26.YOUR.IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 163.26.YOUR.IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 161 -j ACCEPT
利用 incoming firewall 來打開 ssh 22 port,才可遠端連線進入。利用 ssh 登入後,安裝設定 snmp 功能,打開 custom firewall 加入允許連入的功能才可以進行 cacti 監控。
需要 ldap 或 samba 帳號方可認證。故需裝 ldap 或 samba 套件。
web proxy server 改 cache 的容量即可。其他需 ban 的網站要用利 content filter engine > default (configure policy) > 加入 banned sites 來達成,每改一次設定,要重啟 content filter engine。
https://www.clearos.com/resources/documentation/clearos/content:en_us:6_content_filter
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_content_filtering_ins_and_outs#dns quote below:
DNS
DNS is a great way to filter because you can block DNS lookups to happen exclusively under your control (unless your workstations are using some sort of VPN out of your network). You can manually make poisoned DNS entries for sites like Facebook and ads. For example, you can send ads on Youtube down a hole so you get ad-less Youtube and you can completely block any DNS resolution to Facebook if that is just not something you want to allow on your network. DNS is just part of the process and if your user decides to just use IP addresses instead, you may find out that they will just do an end-run around this blocking protocol with IP addresses or a hosts file.
ClearOS' DNS server is a caching DNS server. As such, you can populate entries on that server that are totally invalid. When a user queries the server for the hostname, they will get the poisoned address instead of the real one. You can do individual hostnames like or you can blacklist WHOLE domains is easily by directing the DNS lookups for add site domains to bogus network IPs or the loopback address of the client workstation. You can even redirect it to the root domain on the server where you boldly state that they are not allowed to surf that site (they will get a certificate error if you do this.) Since the DNSMasq daemon processes all .conf files in /etc/dnsmasq.d/ simply create a file called:
/etc/dnsmasq.d/poison.conf
In it, create listings similar to this:
server=/doubleclick.net/127.0.0.1 server=/pointroll.com/127.0.0.1 server=/facebook.com/127.0.0.1
You can use any network address of RFC 1918 or the loopback address of 127.0.0.1. It is best to use the top network address of your network so that the response is quicker as this top address is known to be invalid for the machines on the subnet that use the subnet mask. For example, if you use 192.168.4.1/255.255.255.0 for your ClearOS server. Then you can use 192.168.4.0 for the bogus DNS IP. The packet will instantly fail and will not route.
block https 的 facebook and youtube (機制應該是client機器設定 dns 為192.168.1.1,也就是proxy的內部ip,查詢就只能透過proxy,proxy再給錯誤的位址給client端,由 poison.conf 將欲封的網站指到空的 server,dns 再查詢本機 hosts 檔案,還是導引到伺服器上的localhost,造成client端查詢位址錯誤而達成封鎖 https。):
touch /etc/dnsmasq.d/poison.conf
vi /etc/dnsmasq.d/poison.conf
add the following lines:
server=/facebook.com/192.168.1.0
server=/youtube.com/192.168.1.0
save the file /etc/dnsmasq.d/poison.conf
vi /etc/hosts
add the following lines:
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
save the file /etc/hosts
為了防止學生採用 google 或中華電信的 dns 而查詢到正確的ip,要將連外 53 port 封掉。採用 clearos 中的 Egress firewall ,將 Destination ports: 53 tcp、53 udp封掉。
block flash games and videos
vi /etc/squid/squid.conf
#1: Create an acl for ads content type
acl flash_ads rep_mime_type application/x-shockwave-flash
acl flash_video rep_mime_type video/x-flv
#2: Deny flash ads by denying the above acl (against any ipaddress acl)
http_reply_access deny flash_ads
http_reply_access deny flash_video
#Now Save the squid.conf file
#3: Reload squid service to take effect changes (可利用 clearos 後台重啟 squid 服務)。
另外要注意 dansgardian-av (content filter)程式中,mime type 的 flv 有沒有被勾起來。