Regarding item 5, this sounds a lot like moblock, which has all of the features you described, with lots of ways to define whitelist/blacklist traffic and use custom lists for the same.
-- Sent from my Palm Pre On Oct 27, 2010 23:58, Michael C. Robinson <plu...@robinson-west.com> wrote: 1) I want to go from clear text passwords in flat text files accessed by a perl based cgi script to possibly salted passwords in a database. 2) I want a daemon operating on the firewall machines that can detect inactivity and close out that host(s). 3) I want redirecting when a user tries to go out and the firewall is closed, but I don't want to force everyone through a proxy. 4) I want my web page to have a feature that allows web based adding and editing of computers, users, passwords, and access profiles. 5) I want a black list and/or a white list of Internet sites, but I don't want to implement this via a proxy. OpenDNS would be the preferred way to implement this. I don't know how to do 1-5. Concerning 2, I wonder if sleeping computers will answer ping probes? With regard to a daemon, I'm not certain how to write one let alone how to detect inactivity across a firewall for a specific period of time. Item 3 is done on PSU's wireless network, but maybe they use a proxy. Item 4 is something of an upgrade to my existing system. Item 5 seems to be a necessity to get around OpenDNS's shortcomings. If I have to blacklist locally and I can do this without using a proxy, maybe I can integrate editing of the black lists/white lists into my existing web page. I can use php or perl I suppose. Can I throw packets to user space, find out where they are trying to go, check if a name on a black list or white list resolves to the destination IP, and then dynamically decide what to do with the packet at the packet layer? What is the best way to do this? Should I implement a DNS based ip blacklist where external ip addresses are mapped to 127.0.0.x addresses? Maybe I should mimic postfix's hash files and read these files using perl. I'm thinking something like: some.bad.site DROP # Blacklisted some.good.site ACCEPT # Whitelisted . . . I guess I need a simple caching name server that updates every time the retrieved information can change to go the hash file route. The cache should be populated with the listed names. Item 5 is what I need to implement ASAP. I guess one option is to have an iptables chain called whitelist and another one called blacklist. Trouble is, how do I keep the ip addresses in these chains correct? One look up is enough, I don't want to check every single packet. _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug