Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Shane on October 11, 2003, 12:05:06 PM
-
Hi all...
I have a 9 year old son and 11 year old daughter that desperately wants me to give them internet access on their computer.
We currently have _our_ 2 pc's on our lan accessing the internet via our e-smith 5.6 in Server/Gateway mode connected to a Billion ADSL modem/router.
The kids computer is _not_ connected to the lan until I am satisfied I can control the sites they visit.
Is there a way I can have this computer on the lan and sleep at night???
I will lock down the pc with gpedit.msc and use a non existent default gateway.
Is there a way to integrate the e-smith-proxy-auth rpm to use whitelists so that User 1 authenticates and can access all sites.
User 2 authenticates and can only access "www.runescape.com"
For those of you that don't know, this is a cool addon that forces users to authenticate with their e-smith username and password when they access the proxy.
On another note, this would be a great addition to e-smith distro with a server panel to turn internet access on and offf for domain users.
I have torn the forums apart on this one so no flames please. (just ignore instead) :-)
Thanks in advance
-
Shane
You might want to look at Dansguardian, I have just been playing with it myself and it looks quite good. It controls access based on site content as well as using various black lists all of which you can modify.
If you search back a long way there were posts about how to set this all up.
Regs
Ray
-
in my opinion you cannot deny the web-access on the proxy, because the user is not included in the IP-packets.
the proxy analyses the ip-packets to decide if the request is OK or not.
you need something that filters on user-base.
but i don't know such a tool, sorry.
cheers klaus
-
what i forgot to say:
you will need a user-based OS to assist this tool.
i.e. WindoesNT or Win2000/XP or macOS or LINUX...
cheers klaus
-
Thanks for both for your input.
I have played with Dansguardian on a ipcop box and found it very effective at picking up keywords and blacklists.
However, I wish implement a whitelist only. That way I take away all of the risk.
Klaus, If I use the "e-smith-proxy-auth rpm" then I have users authenticating with e-smith user database and the proxy knows who I am. Are you saying that it must be controlled at the ip level? (firewall everything except whitelist).
Maybe at the DNS so they can only resolve the whitelist...
Thanks
Shane
-
Ray
Thanks for the email with all the info on Dansguardian.
Shane
-
Dear Shane
> .........found it very effective at picking up keywords and blacklists.
> However, I wish implement a whitelist only. That way I take
> away all of the risk.
I looked at my instal of Dansguardian on a sme 5.6 box and there are extensive black (banned) and white (exception) lists that can be edited to suit your needs.
From /etc/dansguardian
exceptioniplist
exceptionphraselist
exceptionsitelist
exceptionurllist
exceptionuserlist
exceptioniplist
plus banned versions of the above lists.
As well of course as all the external lists that are looked up too.
Couldn't you just ban everything using the banned lists and then allow only those things you wanted using the exception lists ?
Regs
Ray
-
Shane
Looking at the list in
/etc/dansguardian/bannedsitelist
there is built in ability to exclude all sites and IPs
#The bannedsitelist is for blocking ALL of a site
#Blanket Block. To block all sites except those in the
#exceptionsitelist file remove the # from the next line to leave
#only a '**':
#**
#Blanket IP Block. To block all sites specified only as an IP
#remove the # from the next line to leave
#only a '*ip':
#*ip
Then you would just put the sites you want to allow acces to into the /etc/dansguardian/exceptionsitelist.
Will that achieve what you want ??
Regs
Ray
-
Shane,
Windows control:
Allow dhcp to assign the gateway, or set it static so internet works. Then use gpedit.msc to 1) set a bogus proxy server ( I use 'noproxy' name and use no port number). 2) Make your white list in 'Exceptions' for your proxy settings. 3) In gpedit, you must also set administrative templates\windows components\internet explorer to NOT allow the proxy to be changed.
I am assuming XP Pro (2k works the same) and your children do not have admin logon accounts or rights. Be aware other non MS software that contains a web browser may not respect the gpedit proxy rules. Also, if your children ever boot the PC with knoppix, they will have complete internet access.
SME addons:
Research squidguard and SARG which can allow you to ban all internet by defining a,e,i,o,u & 0-9 as untrusted expressions which will block everything. The white list is then created by adding domains to the trusted domains in squidguard server manager. SARG provides the ability to review all web sites accessed through squid by the ip address to audit the squid logs in an easy to read http report. Squidguard allows you to define IP address that are allowed to access everything so the parents can surf without restrictions.
By the way, if your children develop technical skills, you can expect problems. I setup internet blocking software on a XP home.....the 12 year old ended up getting around it by installing a second nic in the machine. The blocking software was bound only to the orginal nic. The kid simply moved the cat5 cable when he wanted to surf 'everything'. His dad asked me to check it out and I quickly discovered the second nic which was not present when the blocking software was installed. So, the best bet is to use SME in a locked cabinet with the cable modem and switch/wireless equipment. Users/kids that can't physically access SME will be forced to adhere to its rules....unless they tap the neighbors wireless device!!!
good luck,
ryan
-
Thankyou for your suggestions and taking the time to help me.
I will do some trials and report my results.
Thanks
Shane
-
Hello Shane,
Did you make it work, I have understood that blocking all internet access and create a white list was posible with squidguard and proxy users,
Did it work for your needs?
I need the same,
Regards,
Ricardo
-
Hi Ricardo,
Regret to say I took the easy way out and used gpedit.
Sorry I can't help at this stage as work is "incredibly" busy.
Shane