[K12OSN] Censornet help
Dimitri Yioulos
dyioulos at firstbhph.com
Wed Apr 26 12:59:19 UTC 2006
On Tuesday April 25 2006 7:36 pm, David Whitmer wrote:
> > Hi to all.
> >
> > I was wondering if anyone's using Censornet. I've
> > installed the latest
> > version on CentOS 3.6. No matter what I try, I
> > can't get it to work.
> >
> > Some info.: I'm using iptables to connect/protect
> > my LAN and DMZ. The
> > interfaces are eth0 (public), eth1 (private,
> > 192.168.100.1/22), and eth2
> > (DMZ, 192.168.1.1/24). I've given the Censornet box
> > the address
> > 192.168.100.14/22. It's in bridged mode. I believe
> > I have everything
> > configured correctly. Censornet finds and
> > configures the 3COM nics. I've
> > tried different wiring combinations between the LAN,
> > router private
> > interface, and the two Censornet interfaces.
> > Depending on the wiring, I get
> > a) connected to the internet without being
> > authenticated or, b) not connected
> > or, c) (if I specify a proxy in the Web browser,
> > which I'd rather not do)
> > prompted repeatedly for uname and pw without ever
> > connecting; if I cancel the
> > prompt, I'm told I don't have authorization to use
> > the Web. Grrrrrrr!
> >
> > Is anyone using the current version of Censornet in
> > a setting like mine who
> > can show me the error of my IT ways? The help
> > would, as always, be greatly
> > appreciated.
> >
> > Dimitri
>
> Dimitri,
>
> Along with checking the Censornet forums, have you
> also tried their FAQ? (http://www.censornet.com/faq/)
>
> Have you tried to access the Internet directly from
> the Censornet box itself, to make sure it can access
> the Internet okay?
>
> We're not yet using the latest version of Censornet,
> but at least with ours, you DO have to set the proxy
> address and port information in web browsers. (Though
> with K12LTSP, I can just set that once in all.js
> rather than every individual PC.)
>
> By default, Censornet expects web browsers to connect
> to it on port 8080 (in your case,
> 192.168.100.14:8080). When the browser first
> connects, you'll be prompted for a username &
> password. Here you enter a username & password
> created through Censornet web-based admin interface.
> If you just press cancel instead (your option (c) I
> think), then it will deny web access to that computer.
> That's the way Censornet is designed to work... it's
> an authenticating proxy with filtering. Much of its
> web-access restrictions and reporting are based on
> usernames.
>
> Brian mentioned the Censornet forums. I believe that
> in the past, setting up transparent proxy-based
> filtering has been often discussed on their forums.
> In short, Censornet isn't designed to do that, though
> it can be "hacked" to make it work that way.
>
> I hope this helps!
>
> David Whitmer
> Media and Technology Director
> Calvary Schools of Holland (Michigan)
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
David, Mark, and Brian,
Thanks for your responses!
I'm guilty of sometimes jumping the gun by not reading FAQs, etc. carefully,
then posting a question for which I could have come up with the answer, thus
wasting people's time. But, not in this case, I believe. I've read the
FAQs, perused the forum, posted my question there, and ... no joy. I've
always been impressed with how knowledgeable people are on this list, and how
willing to help, so I tgought I'd ask here.
I will say that my general set-up here has worked great for nearly two years -
iptables/netfilter, samba, sendmail, apache, OpenVPN, Wildfire (Jabber),
etc., etc. So, it's been very frustrating trying to set up Censornet and not
have it work as expected.
In the Censornet Web site, under Support, there's a section called Network
Diagrams. I'm trying to set up the second of the schemes, Standard Bridge
Mode. The write-up states:
"This is the most common form of Bridged CensorNet design. Note that we never
recommend the use of Bridge Mode unless you have your own firewall to protect
your perimeter. Although the CensorNet still has two network cards, connected
in a similar fashion to the Basic Router Mode option, it only has one IP
address, purely for administration purposes. The firewall shown in the
diagram will have an internal address on the same subnet as the rest of the
local LAN."
So, just as in the diagram, I've tried this:
internet
|
router
|
firewall--------DMZ
|
Censornet
|
Switch
|
LAN
I've also tried this:
internet
|
router
|
firewall--------DMZ
|
Switch
| (one or both interfaces connected)
Censornet
|
LAN
I'm able to get both user and workstation data from our AD server into
Censornet. I'm able to reach the Censornet Web admin gui from my
workstation. I'm able to ping both my workstation and an outside site from
the Censornet box. I've set up the correct address and port in Web browser
proxy settings. Depending on how I wire the Censornet box to the firewall
and/or LAN, at worst I'm continually prompted for a uname and pw. At best,
I'll get a Censornet "Authentication Failed" message.
As to this last, there's obviously an authentication problem. Remember, I can
see both isers and workstations in the Censornet Web gui. All the proper
access permissions are set for both. But, I have no idea whether it's an
iptables issue or a Censornet issue. A perusal of the logs on both systems
shows nothing.
Arrrrrgh!
I'll take a look at the Freshmeat article. Now, I don't want to take up
anyone's time needlessly for what is. at best, a narrow problem. But, it
sure would be nice to get the blinkin' thing workin'.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the K12OSN
mailing list