LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-26-2021, 09:11 PM   #1
des_a
Member
 
Registered: Sep 2006
Posts: 890
Blog Entries: 35

Rep: Reputation: 21
Layer 6-7 Internet URL Filtering


I found a program for Windows, Kurupira. I'd love to find an equivalent for older Linuxes, but that's besides the point. When I install it on a Windows machine, it does exactly what I want for the price I want, free.

"However", it only does so on one machine at a time. I want to be able to do this to my whole network! I don't want to buy a sonic wall firewall, because it's too much, even though it does so at layer 3 of the OSI model.

Whatever I get, I would prefer no monthly subscriptions and would strongly prefer free and open source. I would not like easy work arounds to disable it.

I want filtering of URLs, both http and https, so I can block a specific google search or something similar when needed. I would like so in ALL browsers, both open source and not. When I'm using Windows 10, I typically use a combination of Edge, Chrome, and Firefox, while when using Linux, I use Firefox exclusively.

I would like to try and take that program, and install it on a "server" Windows XP or 10 machine (because Windows is what the filtering programs will probably run on), then I want to mess with my gateways or something, until I route all Internet traffic through it, to stop in at that box, then go back to the router and through it to the Internet.

By stopping at that box, I want it to filter out EVERYTHING in my network. Will this program do that if I do as described, or do I need another program? If I should or need to use another program, I need suggestions on which. The logging is optional for now. The filtering is not. I'm preparing for a nephew who isn't born yet.
 
Old 11-27-2021, 02:40 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037
Quote:
Originally Posted by des_a View Post
I found a program for Windows, Kurupira. I'd love to find an equivalent for older Linuxes, but that's besides the point. When I install it on a Windows machine, it does exactly what I want for the price I want, free.

"However", it only does so on one machine at a time. I want to be able to do this to my whole network! I don't want to buy a sonic wall firewall, because it's too much, even though it does so at layer 3 of the OSI model.

Whatever I get, I would prefer no monthly subscriptions and would strongly prefer free and open source. I would not like easy work arounds to disable it.

I want filtering of URLs, both http and https, so I can block a specific google search or something similar when needed. I would like so in ALL browsers, both open source and not. When I'm using Windows 10, I typically use a combination of Edge, Chrome, and Firefox, while when using Linux, I use Firefox exclusively.

I would like to try and take that program, and install it on a "server" Windows XP or 10 machine (because Windows is what the filtering programs will probably run on), then I want to mess with my gateways or something, until I route all Internet traffic through it, to stop in at that box, then go back to the router and through it to the Internet.

By stopping at that box, I want it to filter out EVERYTHING in my network. Will this program do that if I do as described, or do I need another program? If I should or need to use another program, I need suggestions on which. The logging is optional for now. The filtering is not. I'm preparing for a nephew who isn't born yet.
Sounds like you should look into installing pi-hole on a dedicated machine. It can monitor your whole LAN, Windows machines, too.

That said, by the time your nephew is mature enough to use the internet without adult supervision, thinks will have changed significantly...
 
Old 11-27-2021, 05:39 PM   #3
des_a
Member
 
Registered: Sep 2006
Posts: 890

Original Poster
Blog Entries: 35

Rep: Reputation: 21
I just looked into pi hole. It says it blocks dns, but not urls. What i want to do, is block urls. I can already block dns, but to find a solution with that, I'd need to block www.google.com, but that would be too general and would be too much. I'd rather, for example, block https://www.google.com/pizza, but not https://www.google.com/toenail.
 
Old 11-28-2021, 11:38 AM   #4
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037Reputation: 6037
Quote:
Originally Posted by des_a View Post
I just looked into pi hole. It says it blocks dns, but not urls.
I guess you mean "IPs" instead of "dns".

This is the same impression I got after reading a few headers on their website, but I have been told that it is much more powerful than that.
Read the docs.
 
Old 12-09-2021, 07:10 AM   #5
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,238

Rep: Reputation: 103Reputation: 103
You might be better off with a router that knows deep packet inspection, although it's not that easy to find an open source solution. Maybe opnsense can achieve this? https://opnsense.org/
With an external network device you cannot look at the URLs themselves over https with deep packet inspection, but only at the SNI - server name indication (which is the hostname that identifies a web service) - but there's also such a thing already as encrypting the SNI with TLS 1.3, although I think it's not widely used.

Kurupira, which I haven't heard of before, being installed on the machine itself, can probably see exactly whatever URLs you're trying to access (maybe it runs as a sort of local forward proxy?), so that's quite a different setup.

In corporate environments (I know you're not interested in that, but just for the sake of comparison) you can have both agents on the machines themselves and firewalls which communicate with these agents (e.g. paloalto) to obtain a whole perspective over your network and machines.
 
Old 12-10-2021, 05:26 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,593

Rep: Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539Reputation: 3539
Usually on a system that has some sort of firewall one can use it to send internet to the lan and be able to use that across lan. Your lan will connect to the windows internet sharing and then go to wan.
 
Old 07-03-2022, 12:22 AM   #7
des_a
Member
 
Registered: Sep 2006
Posts: 890

Original Poster
Blog Entries: 35

Rep: Reputation: 21
Posting here, because it's not really a new problem. I was researching it, and found out, that maybe squid can be configured to do this, with deep packet inspection, and if it's a transparent proxy, then it's harder to bypass (someone would have to reset a router or make their own network). Also it's easier to configure.

DD-WRT can do that, but it's hard and can't hold a bunch of stuff. Squid on a server machine might be second best, as far as cost. But ubuntu server needs to have squid recompiled to have that feature enabled.

So that led me to opensense like was suggested. I instealled it and tried to rewire. Due to the rewiring, there would have been a fire, if I left it wired that way, or machines would have burnt out. So I can't run it on my antsle, acting in an advance configuration. So I decided to purchase hardware for it...

...Which led me to pfsense! That's because the hardware I bought can run either. It's more well documented. I hope I've got the community version on it, because I don't want to pay for it, unless I can't do it for free.

It's instealled and working as far as the wiring. Now I just need to configure it! Please help me attempt to configure it. First thing is to "put mainrouter in the DMZ". That's what it's called under DD-WRT. Same thing, is what I want to do, but this time with mainrouter, which will allow my existing port forwards to work (I know it's not the best way, but it's good enough for now). Then I can begin testing the squid funtions. I may very well want to do more advance stuff later. I could replace mainrouter, except for I can't, because I need wifi and I need it to be good at it. Can't install mainrouter as access point, because it's more complicated and harder to understand. Simpler to understand is way better.

By the way, just got done with school last month. College!
 
Old 07-04-2022, 09:35 PM   #8
des_a
Member
 
Registered: Sep 2006
Posts: 890

Original Poster
Blog Entries: 35

Rep: Reputation: 21
So I successfully port forwarded all ports to mainrouter. From home network, it won't let me access them with pfsense external ip domain name (no ip name). From other networks, it will let me now. So I guess, with a little adjustment, the first step really is done.

Now, for testing purposes, I need to make pfsense allow me to access things from outside from inside (using the no ip domain name from my own network). DD-WRT automatically does this, but I guess pfsense needs to be told. It probably thinks there's an attack if I try to do that, which is false. Then the first part will be complete. I can always go back and port forward other potocols or perhaps do a 1:1 NAT, if I have to.

Next step after that, is to start blocking things. As soon as I learn how, it will be good. I'm pretty certain I can do that, just need to learn how. I will also look at the pfsense docs, to see if I can figure it out. The only reason I couldn't figure this out before, is I'm lacking pfsense terms, and trying to use DD-WRT terms. If I have to, I'm okay with using opensense if pfsense fails. Just can't find enough docs to do it, but I heard it's definately better, except that.
 
Old 07-04-2022, 09:38 PM   #9
des_a
Member
 
Registered: Sep 2006
Posts: 890

Original Poster
Blog Entries: 35

Rep: Reputation: 21
By the way, I'm trying to set up realatively like cooperations, except smaller and cheaper, free of monthly costs if possible. This is just a home network though and I don't think for now it will ever be anything but that. It's just that some cooperate technology works for me better than doing things a harder way. I've even considered NAC, but that's another story... Need most of it to either overcome or help with disability. Helps me achieve functions like organizing, when fixed again.
 
Old 07-05-2022, 05:06 PM   #10
yvesjv
Member
 
Registered: Sep 2015
Location: Australia
Distribution: Slackware, Devuan, Freebsd
Posts: 274

Rep: Reputation: Disabled
@Vincix is absolutely correct towards dpi functionality for what you want to do.
You will not be able to block urls without putting a certificate on every client device and then having another device/router acting as the mtm. This mtm will be doing the redirecting/blocking and logging.
We used something like that in the past and it is serious enterprise gear and not cheap. I deep dived into one while I had support investigate a 'bug' and it was Linux inside ( ͡~ ͜ʖ ͡)

Btw, dns is now encrypted too and from your browser...

You could look at other software to load onto the clients devices such as net nanny, pluckeye, etc..

Last edited by yvesjv; 07-05-2022 at 05:09 PM.
 
Old 08-29-2022, 04:39 PM   #11
des_a
Member
 
Registered: Sep 2006
Posts: 890

Original Poster
Blog Entries: 35

Rep: Reputation: 21
I'm pretty sure my pfsense that I invested in will work. Closing not because it's completely solved yet (yet to be implemented), but because actually doing it, is really a seperate task from trying to find out what will work. Also closing for age. Just wanted you to know before I did that though. I can always start another if I really need to, but the intent is not to go rambling on when I think I have the hardware, just not yet the software ability to do it. And there's enough suggestions that I can always, now understanding more, try another if I'm wrong. Hopefully that makes sense! Closing!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to create layer break on dual layer dvd 5matyb5 Linux - General 2 02-28-2011 08:29 PM
DVD Drives - Dual Layer or double layer? Groundhog1248 Linux - Hardware 2 09-23-2009 10:30 PM
simple way to make k9copy shrink dual layer to single layer DVD replica9000 Linux - Software 2 12-06-2007 03:41 PM
Connecting on Layer 2, not Layer 3!!!! mattp Linux - Wireless Networking 3 11-29-2005 11:55 AM
Dual Layer ISO onto 2 Single Layer Medias iammike SUSE / openSUSE 3 05-11-2005 06:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration