Firewall and Proxy modes
Up to this point, I had been exploring the device in its "Storage Only" mode. In this mode, the Yellow Machine's WAN port is unused and its router functionality disabled. But the Yellow Machine also offers three different modes for WAN usage. The first mode, "Router" just sets the device up to route network traffic between the LAN and WAN ports. There is no firewall present. The second mode, "Firewall", does the same as the first, but adds a firewall for incoming network traffic. When in firewall mode, all outbound traffic is allowed, and all inbound traffic is blocked by default. Menus are present to allow specified Network ports to be forwarded but there is no DMZ option to forward all ports to a certain machine.
I tried out both router and firewall modes out and they worked just fine. I turned on the DHCP server on the LAN side, and clients plugged into the LAN ports were assigned an IP address and their traffic was routed out the WAN port to the open Internet.
A third mode, "Proxy", locks the Yellow Machine down even more. In this mode, clients on the LAN side must access the Internet through a proxy for both email and web usage. Proxy usage for other protocols such as ftp, telnet, ssh, and so forth, is missing, or at least not anywhere in the documentation that I could find. The box is also set up to record all email traffic so that an administrator can later review it.
Finally, in Proxy mode, the setup menu states that, "... webmail is disallowed, and all Internet access to adult content sites is blocked". Being a bit skeptical of that ability, I dug into the user-manual where I found a disclaimer stating that "complete protection is not guaranteed". To address this, a capability is provided to add specific domains to the blocked list. When the device is configured in Proxy mode, every client computer must be individually listed in a setup screen. If a client isn't on the Yellow Machine's allowed list, he'll see a cryptic error like the one shown in Figure 10.
Figure 10: Blocked content cryptic error message
Because my quick tests of the router and firewall modes had worked fine, I had hoped Proxy mode would be equally easy to use. Alas, that was not to be. When I set everything up, which amounted to configuring my browsers for proxy mode, and adding my laptop to the allowed list, I would occasionally experience odd web browser behavior. Web Pages would be malformed, and usually only load partially. Small images would show up, larger ones would not. Sometimes I would get a proxy "connection refused" message as if the proxy server wasn't working at all.
I tried various different web browsers with the same results. When I got my standard Yellow Machine system log email alert, I found errors such as
child process exiting due to signal 6 - Squid Exiting due to repeated frequent errors . This told me that Squid was acting as the proxy server, and it was unhappy about something.
After double-checking my settings, I thought perhaps something might be wrong with my network setup. I was plugging the Yellow Machine into a switch that hooked into my Linksys wrt54g which was then plugged into my cable modem. Taking all of the extra pieces out of the loop, I connected the Yellow Machine directly into my cable modem and tried again. There was no change. I saw the same flaky behavior.
I tried to do my duty as a diligent reviewer and visit some adult web sites to see how well the proxy blocked them. But unfortunately, the flakey behavior of the proxy made it hard to tell if the site was really blocked, or if it was just delivering the same partial page. I can say that some sites were not completely blocked because I got a partial display. I also tried visiting using an IP address instead of a textual URL to see if I could bypass the filter this way, but once again, the unpredictable behavior of the proxy prevented me from drawing any real conclusions.
Moving on to the email proxy and recording features, I saw similar problems. I successfully sent email using the Yellow Machine as an SMTP server, but I would then get an email "alert" notifying me that mail hadn't been sent with the following error message
procmail: Lock failure on /var/mail/postman.lock. Attempting to retrieve logged emails using the postman account produced something similar:
Lock error(5) on /var/mail/postman" .
Clearly, something was misconfigured in proxy mode, or perhaps just not working properly. I exchanged a number of emails with engineers at Anthology describing these proxy problems. These engineers indicated that they had not seen these problems but they would look into them. At the time of this writing, I had received no resolution nor further information.