FREESCO Support

[strampke]

In my office people use the internet every now and than for personal use.
I don't mind if this in in their own time.
In tried a bit of bi,192.168.0.13,0800,1200 and bi,192.168.0.13,1300,1700 in restrict.cfg
But I do want to allow the employees to mail and to visit authorised sites like http://77.243.231.175 ( http://www.freesco.info/support-forum) all the time.
How can I do a be,xxx.xxx.xxx.xxx followed by a ae,77.243.231.175 to exclude everything and allow a few.
BTW mailtraffic must be possible too.

(I know junkbuster, privoxy etc can do the trick, but can Freesco 0.3.8 on its own perform this action?)

[Lightning]

(I know junkbuster, privoxy etc can do the trick, but can Freesco 0.3.8 on its own perform this action?)

Hmmmm, you are forcing me to remember things that were before breakfast. But with a small amount of checking the answer is "no" using the built in system.
So to do what you are asking would require some customized ipfwadm rules and some scripting to make it time based.

However the 04x series does have the capability of banning and allowing specific ports/subnets and is capable.

[strampke]

Lewis, so you forced me to upgrade to 0.4.2
Got me out of this lazy, 'always being satisfied with the running version' situation.
OK 0.4.2 up and running.
Can you please give me a hint on how to accomplish this task of restricting access just using Freesco?
I did take a look at restrict.cfg but noticed nothing realy different there.
Where is the clue?
Strampke

PS As always getting a Freesco version up and running from scratch was easy and fast.
I only had to copy the file for my 3COM NICs and the dhcp.cfg

[Lightning]

Lewis, so you forced me to upgrade to 0.4.2

Hehe, if you can't tell I am truly sorry for having to force that upon you.

Can you please give me a hint on how to accomplish this task of restricting access just using Freesco?

You will need to do something like this

Code: Select all

bl,192.168.1.0/24,700,1200
bl,192.168.1.0/24,1300,1700
alp,25,192.168.1.0/24,700,1200
alp,25,192.168.1.0/24,1300,1700
alp,110,192.168.1.0/24,700,1200
alp,110,192.168.1.0/24,1300,1700


These rules will allow full mail access at all times to everyone.

With regards to restricting external web sites to just the ones that you want to allow. That is not "CURRENTLY" possible with any version of FREESCO. But thinking about it there is no reason it can't be included as an option in v0.4.3 as it is not released yet and the option is not terribly complicated to add. But it can easily be done manually as well with a firewall rule, such as

edit /rc/rc_user

Code: Select all

$fire)
   ipfwadm -F -i masquerad -W $INET -S 192.168.1.0/24  -D 77.243.231.175
   ;;

The above would allow access to the main FREESCO web site available even during ban periods to everyone. At least in theory as I have not actually tested the above rule.

[strampke]

Ok I tried a bit of this and a bit of that

Setting the DNS to exclusive and settin the primary DNS to my Freesco box does not work.
In IE the restrictions are passed by.

Code: Select all

0.0.0.0 hotmail.com     facebook.com    hyves.nl        twitter.com     msn.com

Why? do I ask myself and Lightning
Is there something wrong with my primary DNS setting which points to my Freesco box?

Adapting the restrict.cfg file works like a charm, however

Code: Select all

be,65.54.0.0/16,800,1200
be,65.54.0.0/16,1300,1700


restricts a lot more than just hotmail
(I rather try to keep the world on the outside than to fence my in my own network as you showed in your example)

One more question:
Why did you get me to upgrade from 0.3.8 to 0.4.2?
In these examples there is nothing 0.4.2 can do which 0.3.8 can not accomplish!
I know..... you just want everyone to upgrade and therefore you make people too curious to be able to resist your suggestion!
For your information, your older Freesco versions are very reliable too Lewis.

[Lightning]

In these examples there is nothing 0.4.2 can do which 0.3.8 can not accomplish!

No that is NOT true, in my example there are the lines to allow email to function at all times using a "real" mail server. However the detail that I was missing from your first question was the fact that you use "hotmail". Which in my own eyes is really NOT mail even though it imitates mail.

As for dependability I would never recommend an upgrade just for the purpose of running a newer system. There are versions of FREESCO that are more bug free than others and the newer versions all have more features and capabilities than the older versions. The biggest issue here I suspect is that everyone who has used the 03x series for years and is familiar with using it. Don't like the new system as well to start with because everything is laid out different and is unfamiliar. Which is/was a difficult decision on my part to change in the first place. But with just a minor amount of time the reasoning behind the changes does show through. Especially when it comes to patches packages and addons including kernel changes and such with the new system.

Setting the DNS to exclusive and settin the primary DNS to my Freesco box does not work.
In IE the restrictions are passed by.

This statement can not be true unless the firewall was not restarted and DNS restarted or a reboot did not occur after this change. It also could happen if the URL in question is being used with a different precursor or extension and the name does not match exactly. So you may need to add to those entries like "www.facebook.com" and any other variation on the URL that could be used.