control of internet access

[Kai Wüstermann]

Moin Bill!

Am Sonntag, den 11.11.2007, 07:38 -0800 schrieb Bill Moseley:

> You commented in a separate reply that you don't want to run a
> separate server.  I don't know your network topology, but using a
> separate gateway machine would be my first choice -- specifically to
> make administration easier.  For one thing, if we run more than one
> LTSP server then I have to duplicate the configuration on each server.
> Another is you don't have to worry about users bypassing local
> configurations on the LTSP server.

Our topology of network is like this:
http://www.edubuntu.org/images/ltsp_inet.png

There will only be 20 thin clients in several rooms. No fat clients. No
windows

I don't worry about users bypassing local configurations. No one in our
school will be able to understand configuration of linux. Me too.:-)

> I'm also considering white-listing instead of using a blacklist.  Any
> good ten-year-old hacker should be able to defeat a site blacklist,
> I'd hope.  I'm also not thrilled about content filtering, either.
> Not too hard to setup a tunnel or use a remote proxy.

How would you manage whitelists? The kids should search information with
search engines like bunte-kuh.de or google. Should they ask the teacher
on every result "Please, enter this site into the list of allowed
sites.". Do you really think the average primary teacher in Germany is
able to identify a sites url and edit the whitelist even if there were
an easy to use program. We don't have any teachers education for using
computers.

We don't have any good hackers at our school. They also don't know what
linux is.

> I suspect content filtering is the easier route than trying to
> manage a whitelist effectively (should sub-domains get whitelisted?
> What ports get opened up?)  And in the end it might be more work for
> the teachers to deal with opening up sites than the few that get
> through the blacklist.
> 
> OS X / Safari "parental controls" use the whitelist approach. When
> the kid goes to a new site there's a popup and then the admin can
> enter their own password on that screen and allow access.  That would
> sure make things easier in the classroom for the teachers.

That seems to be nice.

> Like you, I also want to have fine-grain control over the filtering.
> Obviously, this should be on a per-user basis not machine or location
> basis.  A student should not be restricted to a location or machine to
> get the access they need.

That's what I want.

> Also, in a school the users naturally belong to groups.  A teacher
> should be able to say their entire class can access some list of sites
> and have it just work when their students log in.

This would be the best way, but I think for our school it's enough to
give the kid the Internet access controlled by a blacklist. The teacher
normally is in the classroom. To manage a list would be to complicate
during the lessons.

> 
> I'm not sure how to meet those goals.
> 
> Probably more work than I have time for, but what I've been
> dreaming of is a gateway machine using Netfilter and a database/web
> application to manage users and machines.  That interface would update
> dns and dhcpd as needed, and use Netfilter for user-level filtering.
> The web application would make it easy for teachers to add new sites
> >from the student's machine.

Now in our school we have gateway/file/user administration server which
the teachers control with an old really easy to use interface called
webtools2. It was build for schools in Hamburg in the last century. The
only thing it is not able to control is user level Internet access.

> We know all the MAC addresses of the teachers machines, so those can be
> opened up.

We only have one machine in a the classrooms, so the teacher must have a
web or sudo based configuration program.

Thanks
Kai Wüstermann