[K12OSN] Censornet help

Brian Chivers brian at portsmouth-college.ac.uk
Wed Apr 26 13:38:59 UTC 2006 

Dimitri Yioulos wrote:
> On Tuesday April 25 2006 7:36 pm, David Whitmer wrote:
>>> Hi to all.
>>>
>>> I was wondering if anyone's using Censornet.  I've
>>> installed the latest
>>> version on CentOS 3.6.  No matter what I try, I
>>> can't get it to work.
>>>
>>> Some info.:  I'm using iptables to connect/protect
>>> my LAN and DMZ.  The
>>> interfaces are eth0 (public), eth1 (private,
>>> 192.168.100.1/22), and eth2
>>> (DMZ, 192.168.1.1/24).  I've given the Censornet box
>>> the address
>>> 192.168.100.14/22.  It's in bridged mode.  I believe
>>> I have everything
>>> configured correctly.  Censornet finds and
>>> configures the 3COM nics.  I've
>>> tried different wiring combinations between the LAN,
>>> router private
>>> interface, and the two Censornet interfaces.
>>> Depending on the wiring, I get
>>> a) connected to the internet without being
>>> authenticated or, b) not connected
>>> or, c) (if I specify a proxy in the Web browser,
>>> which I'd rather not do)
>>> prompted repeatedly for uname and pw without ever
>>> connecting; if I cancel the
>>> prompt, I'm told I don't have authorization to use
>>> the Web.  Grrrrrrr!
>>>
>>> Is anyone using the current version of Censornet in
>>> a setting like mine who
>>> can show me the error of my IT ways?  The help
>>> would, as always, be greatly
>>> appreciated.
>>>
>>> Dimitri
>> Dimitri,
>>
>> Along with checking the Censornet forums, have you
>> also tried their FAQ? (http://www.censornet.com/faq/)
>>
>> Have you tried to access the Internet directly from
>> the Censornet box itself, to make sure it can access
>> the Internet okay?
>>
>> We're not yet using the latest version of Censornet,
>> but at least with ours, you DO have to set the proxy
>> address and port information in web browsers.  (Though
>> with K12LTSP, I can just set that once in all.js
>> rather than every individual PC.)
>>
>> By default, Censornet expects web browsers to connect
>> to it on port 8080 (in your case,
>> 192.168.100.14:8080).  When the browser first
>> connects, you'll be prompted for a username &
>> password.  Here you enter a username & password
>> created through Censornet web-based admin interface.
>> If you just press cancel instead (your option (c) I
>> think), then it will deny web access to that computer.
>>  That's the way Censornet is designed to work... it's
>> an authenticating proxy with filtering.  Much of its
>> web-access restrictions and reporting are based on
>> usernames.
>>
>> Brian mentioned the Censornet forums.  I believe that
>> in the past, setting up transparent proxy-based
>> filtering has been often discussed on their forums.
>> In short, Censornet isn't designed to do that, though
>> it can be "hacked" to make it work that way.
>>
>> I hope this helps!
>>
>> David Whitmer
>> Media and Technology Director
>> Calvary Schools of Holland (Michigan)
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam
>> protection around
>> http://mail.yahoo.com
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
> 
> David, Mark, and Brian,
> 
> Thanks for your responses!
> 
> I'm guilty of sometimes jumping the gun by not reading FAQs, etc. carefully, 
> then posting a question for which I could have come up with the answer, thus 
> wasting people's time.  But, not in this case, I believe.  I've read the 
> FAQs, perused the forum, posted my question there, and ... no joy.  I've 
> always been impressed with how knowledgeable people are on this list, and how 
> willing to help, so I tgought I'd ask here.
> 
> I will say that my general set-up here has worked great for nearly two years - 
> iptables/netfilter, samba, sendmail, apache, OpenVPN, Wildfire (Jabber), 
> etc., etc.  So, it's been very frustrating trying to set up Censornet and not 
> have it work as expected.
> 
> In the Censornet Web site, under Support, there's a section called Network 
> Diagrams.  I'm trying to set up the second of the schemes, Standard Bridge 
> Mode.  The write-up states:
> 
> "This is the most common form of Bridged CensorNet design. Note that we never 
> recommend the use of Bridge Mode unless you have your own firewall to protect 
> your perimeter. Although the CensorNet still has two network cards, connected 
> in a similar fashion to the Basic Router Mode option, it only has one IP 
> address, purely for administration purposes. The firewall shown in the 
> diagram will have an internal address on the same subnet as the rest of the 
> local LAN."
> 
> So, just as in the diagram, I've tried this:
> 
>                       internet
> 			   |
>                        router
> 			   |
>                        firewall--------DMZ
> 			   |
>                      Censornet
> 			   |
>                        Switch
>                            |
>                          LAN
> 
> I've also tried this:
> 
>                       internet
> 			   |
>                        router
> 			   |
>                        firewall--------DMZ
> 			   |
>                        Switch
>                            |   (one or both interfaces connected)
>                     Censornet
> 			   |
>                          LAN
> 
> I'm able to get both user and workstation data from our AD server into 
> Censornet.  I'm able to reach the Censornet Web admin gui from my 
> workstation.  I'm able to ping both my workstation and an outside site from 
> the Censornet box.  I've set up the correct address and port in Web browser 
> proxy settings.  Depending on how I wire the Censornet box to the firewall 
> and/or LAN, at worst I'm continually prompted for a uname and pw.  At best, 
> I'll get a Censornet "Authentication Failed" message.
> 
> As to this last, there's obviously an authentication problem.  Remember, I can 
> see both isers and workstations in the Censornet Web gui.  All the proper 
> access permissions are set for both.  But, I have no idea whether it's an 
> iptables issue or a Censornet issue.  A perusal of the logs on both systems 
> shows nothing.
> 
> Arrrrrgh!
> 
> I'll take a look at the Freshmeat article.  Now, I don't want to take up 
> anyone's time needlessly for what is. at best, a narrow problem.  But, it 
> sure would be nice to get the blinkin' thing workin'.
> 
> Dimitri
> 
Have to checked that both servers are within 5 minutes (clockwise) of each other, I know this 
problem comes up a lot on the censornet forums.

Brian

---------------------------------------------------------------
    The views expressed here are my own and not necessarily 
                the views of Portsmouth College

More information about the K12OSN mailing list