For school; students blocked from sites that teachers are allowed. How to?
I have static IPs set for all. How do I set students to be blocked from sites and still allow teachers to access the same sites?
KOM last edited by
Use a web proxy like Squid and SquidGuard which are pfSense packages. You can create rules that block sites for one group but not for another, and have any specified IP addresses exempted from everything.
Dansguardian will do this as well…
In this case, I guess teachers have separate computers from your pupils?
Then you can put these computers on a separate VLAN, and then use different rules for teachers and pupils.
For example prohibit SSL access for pupils (SSL are often used by pupils to access sites that are normally prohibited).
If teacher respective pupil access is determited by the login on computer, theres not much you can do. You could use captive portal to separate pupils and teachers.
But that are going to be abused. (Because teachers cannot really see if pupils have seen a teacher password and is currently using that to surf the internet)
While its easy to see if a pupil is sitting at a teachers only computer (and during lessions, then the teachers computer are occupied by the teacher, providing a "natural" access Control)
In one school I have been, there were 2 types of classrooms: One that pupils were NOT allowed to be alone in, that means that if the teacher needed to take a break, the pupils had to leave the classroom and wait outside locked door.
In the other type, the pupils were allowed to be alone in classroom. Those classrooms had a keyswitch at the door, this keyswitch did turn off all teacher network Connection phycially (propably by breaking Power to a network switch), using the same teacher key as to the doors. Teacher Always turned off network Connection when leaving classroom for a break.
If teachers and pupils are using same PCs, I would suggest setting up "teachers only PCs" in locations where only teachers have access, like break room, teachers lounge, and such, and only permitting those to bypass the filters.
You can do it by putting the students on either a separate physical LAN segment or with VLANS or simply by adding all the student computers to a alias and applying the proxy only to that alias and running that through dansguardian.
You can also use DHCP to handle all the filtering by using an external DHCP server that allows you to configure restrictions, like opendns.
using proxy/content filtering to block web-access to social-media & other https services is not something you'd want to do. (it is fine for blocking random http sites (ie: porn site's)
https kills the use of proxy software, because you can not do this without pushing your own custom ssl certs to all client devices (which is ethically wrong in my book)
dns blocking using opendns or whatever is an option (but can even be bypassed by using google-translate https://support.opendns.com/entries/28059824-Why-translate-google-com-is-suddnly-blocked-)
ip blocklist is by far the best option. (be sure to block all the common vpn-services to be sure).
At the end of the day, you are fighting a losing battle.
1.One Kid will find a way to bypass your block
2.Instructions will be passed between the pupuls on how to bypass
3.Eventually you will hear about it (weeks later)
4.you will find a way to block this NEWTHING
i also work in a couple of schools. i concluded that if china, is unable to prevent people from bypassing it's big wall ... then i wouldn't be able to, either ;)
I tend to agree with heper that its nearly pointless trying to censor the internet.
You actually usually end up simply breaking the useful bits of internet as much as censoring the parts you wish to censor.
But I've had little success at making people agree with that, so - there are your net nanny options.
heper: https can be blocked by using blanket blocks. You simply filter Everything except port 80. Port 80 is then guarded by a Proxy that only allows HTTP, eg no "CONNECT".
Then it will be no encrypted traffic.
Then you put so only teachers can access https sites. Here it could be good to only allow certain https site (or scan https traffic by pushing CA certificates to client via AD/Group Policy) for the teachers.
for google, you can set their start page to "http://www.google.com/webhp?nord=1"
This will force SSL=disable for google's search services.
The reason china's filter do not work well is that it can be easly be bypassed. Its designed with maximum performance in mind, which means it does not do any sort of stateful filtering or content checking. Its enough that a forbidden Word appears over a packet boundary (eg lets say the Word "anarchism" is split into 2 packets like "anarc" in one packet and "hism" in a Another, then it will be let through), and it uses RST packets to block instead of physically blocking packets, so ignoring RST will give you free route out on internet.
ANY performance loss would be unacceptable for China because so many users are behind the firewall. Even a small filtering lag in the terms of a couple of µsec would be translated into minutes with that amount of users that are behind the wall like China. Thus they only tap the traffic, not intercept it. And any prohibited things will push out a RST to both sender and receiver.
In a school, its not millions of users, and thus its okay with a small performance degradation for content scanning of traffic, thus you have more filtering options than China has.
you could indeed block https intirely for students ….
in the schools i work, the students NEED access to dozens of https sites to be able to do their tasks, because teachers implement new educational websites that require login/passwords.
This would force me to "white list' a couple of https site's on a weekly basis. I don't have the time for that.
This post is deleted!