[K12OSN] RE: PII and Dansguardian, traffic shaping and more...Warning - long post

[Sean Harbour]

>I've set up a firewall using an old PII with Smoothwall Express [1],
>Squid, and DansGuardian.  Smoothwall has a setting to run as a
>transparent filter.  Seems to work pretty well.  I don't know if
>there might be throughput limits but it's worked fine on my small
>home network.

>http://www.smoothwall.org/

>-- 
>Henry

A PII 233 running Dansguardian will handle around 20-30 active internet users OK.. A PII 400 handles it better, with noticeably quicker response. Note that 20-30 active internet users in a typical school translates to about 200 or so computers total, of which about 20-30 are actually using the internet at any particular instant. The rest are running at idle reading content that they have already downloaded or running local applications. I would recommend around a P3-600 or so with at least 256MB RAM, 512 is better. A 1 Ghz CPU is plenty, any more is probably overkill, but your situation may vary. Some of the schools I support use online testing which can stress the internet connection a bit. Usually the proxy is not the bottleneck though, it will typically be the internet connection speed. A lab or two of kids doing tests over the internet will max out a T1. Keep in mind that using a caching proxy for a school of this size will typically save 25% of your internet bandwidth used for web surfing, so it's a good thing. A good rule of thumb, as long as the CPU on your proxy is running at 70 percent utilization, with 100 percent spikes that last a second or two at your busiest time of the day, you are okay, but just barely. Typical load values should tend around .5 to 2, maybe jumping up to 3 or 4 for a minute or two during your busy times. Any more than this, upgrade the proxy box.

http://www.ipcop.org is a viable alternative to Smoothwall. It's a derivative of Smoothwall, but there is no 'Lite' and 'Pro' version like in Smoothwall, with IPCop you get all the features for free. There is a Dansguardian plugin for it that will work in transparent mode, though I have noticed the link to the administrative webpage for DG is missing from the main admin page on the latest ipcop distro out of the box. Typing it in directly works, take a look at the cgi-bin directory for the file name.

Setting this up, provided you have the hardware lying around, takes about half an hour. You will have to transfer some files to the Dansguardian box from a box with a web browser after the install, which means you need to use putty scp or similar from a windows box, or scp from an existing linux box.

Average hardware would be a PII400, 256MB RAM, 2 ethernet cards, 3COM or Intel preferred but most will work fine, and a 2 GB hard drive. You can temporarily attach an IDE CDROM for the installation, but it doesn't need to stay on the machine after the install is complete. If you want a separate DMZ or wireless network, throw in a few more ethernet cards.

This gives you an easy to install, easy to admin full featured firewall that will handle 100-200 computers. 

A real bonus with IPCOP is the traffic shaping option. Not sure if Smoothwall has that yet or not. Setup correctly, you can keep web browsing and other high priority traffic working smoothly while other traffic that would normally swamp your connection is also running. I have 4Mb cable internet at home, and a couple of bittorrent sessions downloading installation CDROM images makes internet browsing feel like I am on dial up again. With traffic shaping turned on, I can barely tell that my connection is almost maxed out. You won't believe the difference. If you have a problem with FTP or realaudio traffic slowing down legitimate browsing, you can make a huge difference. The limitation is that the traffic shaper can only adjust bandwidth by TCP port. This means you can classify FTP traffic as low priority on TCP port 21, and keep HTTP traffic on TCP port 80 more responsive by giving it a medium priority. FTP users won't really notice the difference in download speed, but web browsing will be a lot more usable if the FTP downloads are maxing out the connection. The downside is that the simple traffic shaping included with IPCop cannot differentiate between different types of traffic using the same TCP port. Still, it's pretty good.

I hope this is helpful to someone.

Sean Harbour
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 4965 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/k12osn/attachments/20050305/8324806f/attachment.bin>