[K12OSN] Censornet help
Brian Chivers
brian at portsmouth-college.ac.uk
Wed Apr 26 13:38:59 UTC 2006
Dimitri Yioulos wrote:
> On Tuesday April 25 2006 7:36 pm, David Whitmer wrote:
>>> Hi to all.
>>>
>>> I was wondering if anyone's using Censornet. I've
>>> installed the latest
>>> version on CentOS 3.6. No matter what I try, I
>>> can't get it to work.
>>>
>>> Some info.: I'm using iptables to connect/protect
>>> my LAN and DMZ. The
>>> interfaces are eth0 (public), eth1 (private,
>>> 192.168.100.1/22), and eth2
>>> (DMZ, 192.168.1.1/24). I've given the Censornet box
>>> the address
>>> 192.168.100.14/22. It's in bridged mode. I believe
>>> I have everything
>>> configured correctly. Censornet finds and
>>> configures the 3COM nics. I've
>>> tried different wiring combinations between the LAN,
>>> router private
>>> interface, and the two Censornet interfaces.
>>> Depending on the wiring, I get
>>> a) connected to the internet without being
>>> authenticated or, b) not connected
>>> or, c) (if I specify a proxy in the Web browser,
>>> which I'd rather not do)
>>> prompted repeatedly for uname and pw without ever
>>> connecting; if I cancel the
>>> prompt, I'm told I don't have authorization to use
>>> the Web. Grrrrrrr!
>>>
>>> Is anyone using the current version of Censornet in
>>> a setting like mine who
>>> can show me the error of my IT ways? The help
>>> would, as always, be greatly
>>> appreciated.
>>>
>>> Dimitri
>> Dimitri,
>>
>> Along with checking the Censornet forums, have you
>> also tried their FAQ? (http://www.censornet.com/faq/)
>>
>> Have you tried to access the Internet directly from
>> the Censornet box itself, to make sure it can access
>> the Internet okay?
>>
>> We're not yet using the latest version of Censornet,
>> but at least with ours, you DO have to set the proxy
>> address and port information in web browsers. (Though
>> with K12LTSP, I can just set that once in all.js
>> rather than every individual PC.)
>>
>> By default, Censornet expects web browsers to connect
>> to it on port 8080 (in your case,
>> 192.168.100.14:8080). When the browser first
>> connects, you'll be prompted for a username &
>> password. Here you enter a username & password
>> created through Censornet web-based admin interface.
>> If you just press cancel instead (your option (c) I
>> think), then it will deny web access to that computer.
>> That's the way Censornet is designed to work... it's
>> an authenticating proxy with filtering. Much of its
>> web-access restrictions and reporting are based on
>> usernames.
>>
>> Brian mentioned the Censornet forums. I believe that
>> in the past, setting up transparent proxy-based
>> filtering has been often discussed on their forums.
>> In short, Censornet isn't designed to do that, though
>> it can be "hacked" to make it work that way.
>>
>> I hope this helps!
>>
>> David Whitmer
>> Media and Technology Director
>> Calvary Schools of Holland (Michigan)
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam
>> protection around
>> http://mail.yahoo.com
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>
> David, Mark, and Brian,
>
> Thanks for your responses!
>
> I'm guilty of sometimes jumping the gun by not reading FAQs, etc. carefully,
> then posting a question for which I could have come up with the answer, thus
> wasting people's time. But, not in this case, I believe. I've read the
> FAQs, perused the forum, posted my question there, and ... no joy. I've
> always been impressed with how knowledgeable people are on this list, and how
> willing to help, so I tgought I'd ask here.
>
> I will say that my general set-up here has worked great for nearly two years -
> iptables/netfilter, samba, sendmail, apache, OpenVPN, Wildfire (Jabber),
> etc., etc. So, it's been very frustrating trying to set up Censornet and not
> have it work as expected.
>
> In the Censornet Web site, under Support, there's a section called Network
> Diagrams. I'm trying to set up the second of the schemes, Standard Bridge
> Mode. The write-up states:
>
> "This is the most common form of Bridged CensorNet design. Note that we never
> recommend the use of Bridge Mode unless you have your own firewall to protect
> your perimeter. Although the CensorNet still has two network cards, connected
> in a similar fashion to the Basic Router Mode option, it only has one IP
> address, purely for administration purposes. The firewall shown in the
> diagram will have an internal address on the same subnet as the rest of the
> local LAN."
>
> So, just as in the diagram, I've tried this:
>
> internet
> |
> router
> |
> firewall--------DMZ
> |
> Censornet
> |
> Switch
> |
> LAN
>
> I've also tried this:
>
> internet
> |
> router
> |
> firewall--------DMZ
> |
> Switch
> | (one or both interfaces connected)
> Censornet
> |
> LAN
>
> I'm able to get both user and workstation data from our AD server into
> Censornet. I'm able to reach the Censornet Web admin gui from my
> workstation. I'm able to ping both my workstation and an outside site from
> the Censornet box. I've set up the correct address and port in Web browser
> proxy settings. Depending on how I wire the Censornet box to the firewall
> and/or LAN, at worst I'm continually prompted for a uname and pw. At best,
> I'll get a Censornet "Authentication Failed" message.
>
> As to this last, there's obviously an authentication problem. Remember, I can
> see both isers and workstations in the Censornet Web gui. All the proper
> access permissions are set for both. But, I have no idea whether it's an
> iptables issue or a Censornet issue. A perusal of the logs on both systems
> shows nothing.
>
> Arrrrrgh!
>
> I'll take a look at the Freshmeat article. Now, I don't want to take up
> anyone's time needlessly for what is. at best, a narrow problem. But, it
> sure would be nice to get the blinkin' thing workin'.
>
> Dimitri
>
Have to checked that both servers are within 5 minutes (clockwise) of each other, I know this
problem comes up a lot on the censornet forums.
Brian
---------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list