configuration suggestions and browser lockdowns

[Bill Moseley]

On Fri, Oct 19, 2007 at 10:01:22AM +0100, Gavin McCullagh wrote:
> > Can anyone offer suggestions how to best setup this configuration.
> > Seems like NFS mounting /home, but I'm wondering what else can be
> > shared to ease management.
> 
> You could consider using the machines as diskless kiosks running local
> applications.  We do this with the feisty LTSP kiosk mode, though that only
> provides a web browser at the moment.  In Gutsy (I hear) there is supposed
> to be support for more extensive local applications.  That way, you might
> install all applications to the central image and all of your machines will
> automatically get them.

Anyone familiar with this project?

    http://drbl.sourceforge.net/

Looks reasonably turnkey.

> > Another question is how to lock down the machines.  I've looked at the
> > Lockdown Editor Pessulus and Sabayon.  What about blocking URLs?  Mac
> > OSX/Safari has a reasonably easy parenteral control where the browser
> > won't go to any domain that isn't defined.  And when it's attempted
> > the admin can enter their password to provide access.  Any pointers
> > how to implement this?
> 
> The only way I know to (reliably) block content is using a proxy server
> like squid with something like "dan's guardian" or squidguard.  Thankfully,
> the Irish dept. of education has contracted HEAnet to be ISP and look after
> filtering en mass for every school in the country so this headache is
> lifted from us.

I might give squid a try -- although for the limited number of
workstations caching is probably not a huge benefit.  Might not be
that hard to create a simple GTK application where the admin could
type in a URL, have it fetch the page and parse out all the links
and do dns lookup and whitelist in iptables.

Maybe Firestarter isn't too hard, either.  I've always use firewall
scripts in the past.


Thanks,

-- 
Bill Moseley
moseley at hank.org