control of internet access

Bill Moseley moseley at hank.org
Sun Nov 11 15:38:20 GMT 2007 

On Sun, Nov 11, 2007 at 09:29:36AM +0100, Kai Wüstermann wrote:
> 
> We want to...
> 
> ... switch off the Internet for all the thin clients
> 
> ... log the sites and pages a user retrieves
> 
> ... use a blacklist for the children's Internet access
> 
> ... switch on the Internet access (It would be nice to do this for
> special user groups or classrooms)

This is something I've been wondering about, but not something I've
implemented yet -- so take it FWIW.


You commented in a separate reply that you don't want to run a
separate server.  I don't know your network topology, but using a
separate gateway machine would be my first choice -- specifically to
make administration easier.  For one thing, if we run more than one
LTSP server then I have to duplicate the configuration on each server.
Another is you don't have to worry about users bypassing local
configurations on the LTSP server.

I'm also considering white-listing instead of using a blacklist.  Any
good ten-year-old hacker should be able to defeat a site blacklist,
I'd hope.  I'm also not thrilled about content filtering, either.
Not too hard to setup a tunnel or use a remote proxy.

I suspect content filtering is the easier route than trying to
manage a whitelist effectively (should sub-domains get whitelisted?
What ports get opened up?)  And in the end it might be more work for
the teachers to deal with opening up sites than the few that get
through the blacklist.

OS X / Safari "parental controls" use the whitelist approach. When
the kid goes to a new site there's a popup and then the admin can
enter their own password on that screen and allow access.  That would
sure make things easier in the classroom for the teachers.

Like you, I also want to have fine-grain control over the filtering.
Obviously, this should be on a per-user basis not machine or location
basis.  A student should not be restricted to a location or machine to
get the access they need.

Also, in a school the users naturally belong to groups.  A teacher
should be able to say their entire class can access some list of sites
and have it just work when their students log in.

I'm not sure how to meet those goals.

Probably more work than I have time for, but what I've been
dreaming of is a gateway machine using Netfilter and a database/web
application to manage users and machines.  That interface would update
dns and dhcpd as needed, and use Netfilter for user-level filtering.
The web application would make it easy for teachers to add new sites
from the student's machine.

We know all the MAC addresses of the teachers machines, so those can be
opened up.

For the LTSP servers I'd like to look into using Ident/Auth with
Netfilter's connection tracking.  That way the filtering follows the
user even if they move to a different LTSP server.  If that's even
feasible or practical is something I have not looked into.

One problem with filtering at this level is being able to open an
entire domain.  Sure would be preferable to be able to say:

    allow *.yahoo.com 80 443

or some such thing, for example.


> To switch on/off the Internet access seems to be easy if I add/delete
> the default route. But I also switch off the Internet access for the
> server itself so it can't do jobs like fetching mails, updates or time.
>
> For logging an using blacklist I could use squid but how do I avoid
> firefox accessing directly to the Internet.

Again, those are the reasons why I'd prefer a separate gateway
machine managing the work of filtering.  Then just use Squid for
caching and logging.

And I really have no interest in logging the pages that specific users view.

-- 
Bill Moseley
moseley at hank.org

More information about the edubuntu-users mailing list