[PLUG] slightly OT, Internet media and OpenDNS...

Michael C. Robinson plug_1 at robinson-west.com
Thu Oct 28 06:57:39 UTC 2010


1) I want to go from clear text passwords in flat text files accessed 
   by a perl based cgi script to possibly salted passwords in a
   database.

2) I want a daemon operating on the firewall machines that can detect  
   inactivity and close out that host(s).

3) I want redirecting when a user tries to go out and the firewall is
   closed, but I don't want to force everyone through a proxy.

4) I want my web page to have a feature that allows web based adding
   and editing of computers, users, passwords, and access profiles.

5) I want a black list and/or a white list of Internet sites, but I 
   don't want to implement this via a proxy.  OpenDNS would be the
   preferred way to implement this.

I don't know how to do 1-5.  Concerning 2, I wonder if sleeping
computers will answer ping probes?  With regard to a daemon, I'm
not certain how to write one let alone how to detect inactivity
across a firewall for a specific period of time.  Item 3 is done on
PSU's wireless network, but maybe they use a proxy.  Item 4 is 
something of an upgrade to my existing system.  Item 5 seems to
be a necessity to get around OpenDNS's shortcomings.

If I have to blacklist locally and I can do this without using a proxy,
maybe I can integrate editing of the black lists/white lists 
into my existing web page.  I can use php or perl I suppose.

Can I throw packets to user space, find out where they are trying to
go, check if a name on a black list or white list resolves to
the destination IP, and then dynamically decide what to do with the
packet at the packet layer?  What is the best way to do this?  Should I
implement a DNS based ip blacklist where external ip addresses are
mapped to 127.0.0.x addresses?  Maybe I should mimic postfix's hash
files and read these files using perl.  I'm thinking something like:
some.bad.site	DROP     # Blacklisted
some.good.site	ACCEPT   # Whitelisted
.
.
.
I guess I need a simple caching name server that updates every time the
retrieved information can change to go the hash file route.  The cache
should be populated with the listed names.

Item 5 is what I need to implement ASAP.

I guess one option is to have an iptables chain called whitelist and
another one called blacklist.  Trouble is, how do I keep the ip
addresses in these chains correct?  One look up is enough, I don't 
want to check every single packet.




More information about the PLUG mailing list