Hardware Firewall/Filter

[Iron Hawk]

I have the task of Re-Networking a computer lab at my highschool. One goal is to impliment a hardware Firewall to protect the 26 computers on the otherside. Another thing that we need is a way to filter out certain webpages that we do not want the students accessing. What programs do you recomend we use for this? The computer will allmost certainly be a linux box.

Would the computer be able to handle 25 computers without much packet loss? Also, would it be capable of becomming a file host?

Thanks,
-Iron Hawk

 

[engjohn]

Linux, netfilter, and squid.
If you want file hosting use samba.

 

[camfortner]

Are you trying to have a hardware firewall/router/filter

or are you trying to make a linux box do all of the above.

SonicWall makes a good SOHO firewall/router/filter which can filter and block porn sites and such. My HS used something along the sort.

Our setup was sorta like this, because the school hosted their own website off of a win9x box sitting on a DMZ port.
[T1 Connection] --Ethernet--> [Cisco Router/Firewall] --Ethernet--> 4 24 Port 100mbit Cisco Switches--Ethernet--> Computers

Does your school want or use Wireless Networking, because you're going to have a whole nother can of worms in there. Since you'll probably need some sort of MAC filtering on your router to make sure that unauthorized persons don't gain access to your network.


our meager T1 Connection serviced about 50 PC s in 2 labs, and about 60 teacher laptops running win9x/2k. It was really slow right after school when the LRC got filled up......

 

[Iron Hawk]

My intent is to have a linux box that does all of the above. I am working on only one lab and this firewall/filter will only be for this one lab. So really, im only going to be changing the topology of on portion of the network. The main reason for this is to be able to prevent the students in the lab from accessing certain webpages that the rest of the school is still welcome to view, an example of this is a particular forum that has been setup where some students have been posting answers and program code for others to cheat.

We will not be using wireless, so that is not an issue.

 

[bdf24]

I probobly sound like a broken record around here lately But I'm running behind a ClarkConnect box that does everything your looking for. you can run a content filter, fileserver, and firewall. And much, much more. You can install as a gateway system or standalone.

Dansguardian (I think that's what it's called) can filter out everything you want. You can actually set it up to only allow webpages that you manually put in the exception list. And Samba is very easy to setup in ClarkConnect for use as a file server. Once installed you don't need a monitor or keyboard. It has a nice webconfig page just like a standalone router has that you can adjust everything from.

My system is pretty basic. Celeron 333mhz with 64 megs of ram and a 60 gig drive for storage. You may want to run more ram with that many clients though.

Install takes about 15 minutes or so.
You can check it out here to get a better idea of what it all does if your interested.
There's two versions. The office which costs money. And the home version which is free and will do everything your looking for.

 

[camfortner]

Also, are you building this box, or do you already have an old computer that you're planning to just load with some software and let it sit?

 

[Iron Hawk]

I think im gunna give clarkconnect a try, looks like it is exactly what I will need.

I am not building this box from scratch, im just gunna modify a current computer. We have a few computers that are about 1ghz and are not being used, so i will probably get some more memory, and get a 4-port PCI router card for it,

This here seems like a good deal:
http://www.evertek.com/viewpart.asp?auto=7236

I have seen them at a few different stores, they say they work in windows, does anyone know if they work properly under linux?

 

[bdf24]

That card is basically a router in a PCI card. Sounds good. But the only thing is ClarkConnect will do all that for you. If you can disable all the router/Nat features in it, and use it as a 4 port NIC or Switch then it would be great. Otherwise it may interfere with the ClarkConnect functions.

 

[Iron Hawk]

Yeah, thats what I was hoping i would be able to do, use it as a 4 port NIC.

 

[Iron Hawk]

Well, i dont think i should have to disable anything, as the router card will only be facing the computers in the lab, a single port 10/100 card will be facing the rest of the schools network. Having the router in there will take some load off the cpu by routing packets that need to go to other computers in the lab.

This should work ok, right? (provided I can get the PCI Router card to work in linux)

 

[bdf24]

Well then you'll have to shut off DHCP in ClarkConnect. Otherwise you may have some troubles.

 

[Iron Hawk]

Oh yea, I didnt think about that Thanks for being my foresight, you have been a tremendous help so far.

 

[bdf24]

Not really sure how that card works. But if you can turn off DHCP on the card itself and the machine is able to give each physical port an IP address. One wan (from your IP) then one being something like 192.168.1.1 for lan. I know a third one could be used as DMZ as well. But not sure how it would assign the 4th port? I suppose it would'nt be much different then putting 4 seperate NIC's in a machine correct?
But if it can work like this you would'nt need a second seperate NIC. You'd be able to just use that one.

Otherwise you could just settle with 2 cheap NIC's instead of the single 4 port router NIC.

 

[Iron Hawk]

Well, the Router card is only $20, im going to get it to play around with, if I cant get it working then ill just use some seperate 1 port NICs. It really doesnt matter how its done, just as long as it works and wont give the Teacher much trouble. Thanks again for all of your help.

 

[bdf24]

np
Good luck with it and have fun. Post back if you have any problems. I'm sure there's many more that can help you out with the actual networking aspects then me. I'm a newbie yet. But I'll try and help.