networking - how can i shut down internet access ...

20 replies [Last post]
chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232

hello out there!

hope someone's a genius and can help me with that issue. first, let me explain what i'm trying to do:

i have a couple of classrooms fitted with iMac's. all of them have access to the internet over ethernet connection. what i want to do is, find a simple and easy solution how you can cutoff the internet access for a specific classroom. only internet, ethernet should still work though. i was thinking about a solution using a router in every classroom, but i'm not quite sure how to accomplish a fast cutoff (without having to connect to the router, then manually clear several ports, then open them again for browsing)...

ideas, anybody?

thanks, chris

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Offline
Joined: Jan 28 2005
Posts: 170
disable any internet browser

disable any internet browser for the student accounts...

Offline
Joined: May 24 2005
Posts: 61
On my home router, we have a

On my home router, we have a internet in port, and the software on the router has the ability to allow, or allow during certain times, internet by ip address.

David

__________________

Performa 5200CD 64 megs ram, 75mhz, 800 megs hd. OS 8.5
Dell Optiplex 256 ram, 900mhz, 8gig hd, 160gig external. Linux.

The Czar's picture
Offline
Joined: Dec 20 2003
Posts: 287
Port 8080

Can you just disable port 8080? That's what most http transfers go through, IIRC.

Cheers,

The Czar

__________________

iBook 14" 1.33Ghz/768MB/60GB/10.4.8
Quicksilver 2x1.6Ghz/1536MB/600GB/10.4.8 Server

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
disable port...

yes, of course, that would be possible. but it would mean that i have to connect to the router everytime i want to cutoff internet for the students.

i was searching for a "one (or maybe two) button solution" or something like that. if it's not possible, i will use the connect-to-router option anyway...

to fynch: i don't want to shut it off permanently, so this is not an option. it's just that i don't want them to browse while the teacher is teaching...

cheers, chris

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

BDub's picture
Offline
Joined: Dec 20 2003
Posts: 706
Re: Port 8080

The Czar wrote:

Can you just disable port 8080? That's what most http transfers go through, IIRC.

Cheers,

The Czar

Port 80 is for the HTTP protocol. Port 8080 is what a lot of people use to host web servers when their ISP blocks incoming port 80 connections, as a way to ensure that people aren't running webservers off consumer lines.

-BDub

__________________

"There is going to be a future: let's chase it until it kills us." - Spider Robinson

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
ah, ok...

...so that means i'll have to block both of them or what? or is only the port 80 interesting in my case?

chris

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

Offline
Joined: Feb 11 2004
Posts: 208
Re: ah, ok...

chris501 wrote:

...so that means i'll have to block both of them or what? or is only the port 80 interesting in my case?

chris

Ports 80 (http) and 443 (https) are usually the only concern. Port 8080 is usually used by proxy servers, or kiddiez that want to run web servers on RoadRunner or Comcast (who often use port 8000 as well).

In this case, blocking 80 and 443 will do fine.

__________________

Chimera: Black MacBook - Core2 Duo, 1GB Dual Channel, 120GB SATA
Hackintosh: Wallstreet Built-to-the-hilt with security and wireless software for penetration testing, OSX 10.2
Blackintosh: SE/30, two 4GB Seagate Barracudas, 32MB RAM, NetBSD (Painted/cle

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
thanks for your help...

...i've been looking on the web for a solution to this, but it seems that i'll have to stick with the router thing. anyway, thanks a lot for your help and support!

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

dankephoto's picture
Offline
Joined: Dec 20 2003
Posts: 1900
maybe a smarter router?

How about using a 'puter as a firewall, there's gotta be some very flexible routing sw that can be configured to block or pass ports based on the time of day, perhaps something from Sustainable Softworks?. Or perhaps one of the fancy router makers (like Cisco) has something that'll do what you want.

What kind of budget have you got, and how many separate 'zones' do you need to configure? What other services must remain available while inet access is disabled? You can't just pull the classroom plug for the duration of class?

How about having separate logins for inet access? That way you could control which apps are available during class.

Sadly, I know no specific solutions, but I know there's gotta be something that fits your needs.

dan k

__________________

|| web page gone - curse you Comcast! | Applish goodies servers offline, sorry! |
» email macdan at comcast.net

Offline
Joined: Feb 11 2004
Posts: 208
...

you could get the Prismiq commander ( http://www.prismiq.com ), as your router (it has WiFi but you can disable it) and just get all big-brother on them, and punish those who can't stay on task.

I think if you need to lock it down in school, you're going about it the wrong way. At work, a lot of employers won't lock you out of web sites (although it's a growing trend). Preparing these kids for the real world where they ARE CAPABLE of visiting websites when they should be doing something else, is paramount.

If I get caught doing stupid internet stuff at work, I'd get written up. It's all about responsible and on-task use. Punish them when they abuse it, and they will stop.

__________________

Chimera: Black MacBook - Core2 Duo, 1GB Dual Channel, 120GB SATA
Hackintosh: Wallstreet Built-to-the-hilt with security and wireless software for penetration testing, OSX 10.2
Blackintosh: SE/30, two 4GB Seagate Barracudas, 32MB RAM, NetBSD (Painted/cle

Jon's picture
Jon
Offline
Joined: Dec 20 2003
Posts: 2804
I know ax0n has some experien

I know ax0n has some experience here as he works for a (large) college. I'd either recommend the crack-down-and-punish method or a smart router. If you've got the budget, I'd jump for a router than can disable "zones' by time of day, as was suggested below. If you've got a small budget and can't/don't want to setup a computer with the filtering rules, I'd go for the crackdown.

__________________

I am not in this world to live up to other people's expectations, nor do I feel that the world must live up to mine. - Fritz Perls

DrBunsen's picture
Offline
Joined: Dec 20 2003
Posts: 946
Script?

Could you make an Applescript that logs into the router at the appropriate times and does the switchero?

__________________

Damn the Torx screws, full speed ahead!
Apple and Wireless FAQ

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
had that idea...

...with scripting last saturday. i was fiddling around a bit, and i think with a bit more scripting experience it could be done that way.

however, i will think over it once again. the track-and-punish method is a bit time consuming, but we'll see what i will find on the net...

by the way, as mentioned before it's only about shutting down internet access. the rest of the network functions should work though.

thanks, chris

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

Eudimorphodon's picture
Offline
Joined: Dec 21 2003
Posts: 1203
IPFW

I have a sleezy suggestion, if your iMacs are all on OS X. Write a script adds or removes the following IPFW rules from your student's machine's firewalls:

(This is assuming all the machines the students need to reach all the time are inside the 10.0.0.0/255.0.0.0 RFC1918 network, and everything else is verboten. In real life you'd adjust accordingly.)

ipfw add 1000 allow ip from any to 10.0.0.0/8 out xmit en0
ipfw add 2000 deny ip from any to any out xmit en0

IPFW is first match, so the first rule will let traffic reach your school network, while the second one stops everything else. To allow traffic again, run this command:

ipfw -q flush

(Of course, if you're actually using the OS X firewall you might want to make it a little more elaborate and use the "set" commands to swap out full rulesets, but you get the idea.)

So how would you turn this on or off all at once? Two suggestions:

1: If the macs all have static IPs, use ssh-keygen to make an entry key to stick in all the machines under a hidden user account. Modify /etc/sudoers to allow that hidden user to run two scripts to bring the rules up and down. Then from your master computer write a little script that on command uses SSH to fire off the firewall up/down command to all the student machines.

2: Write a script in perl/python/whateverfloatsyourboat which can fetch an HTTP URL, read a value out of it, and add or remove the firewall rules based on that value. Stick it in root's crontab on all the student machines, set to run once a minute. Then erect a hidden webpage on an internal webserver somewhere on the school network that you can quickly change based on whether you want internet access or not. (Maybe do a trivial bit of password-protected CGI or PHP which writes "OPEN" or "CLOSED" to a file which the clients then examine.)

(The nice thing about this is it doesn't matter what IPs the student machines have. You could move them anywhere inside the school network and it'd still work.)

There's the nerdy UNIX suggestion, anyway. It's nice in the sense that you don't need to put a router in front of each classrom.

Note of course that if the students have "admin" access they can override this. Also, if they can reboot the machines I'd recommend using the second option in which the machines regularly check whether they should allow traffic or not. Otherwise you might just have the little nippers rebooting right after you send the "close" command.

--Peace

BDub's picture
Offline
Joined: Dec 20 2003
Posts: 706
Re: Script?

DrBunsen wrote:

Could you make an Applescript that logs into the router at the appropriate times and does the switchero?

If you end up using the router idea, it may be easier to use a series of curl calls instead of an Applescript. That's assuming that it's a web based control panel though.

__________________

"There is going to be a future: let's chase it until it kills us." - Spider Robinson

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
router = no

ok, going back to start again... router is no option, because the responsible person decided a) not to buy a router for every class room and b) not to change the gateway entry on all computers to the router ip.

the ssh method won't work, because we need to have dynamic ip addressing...

damn, i hate it when people tell you to do impossible things with a small budget...

thanks anyway. i'll keep that all in mind and try to convince him of the necessity of a good and clean solution (even if it's not that cheap Wink

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

Eudimorphodon's picture
Offline
Joined: Dec 21 2003
Posts: 1203
Re: router = no

chris501 wrote:

the ssh method won't work, because we need to have dynamic ip addressing...

You could still do the "have the machines check from cron" method, assuming you have one machine with a static IP you can use as a server.

--Peace

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
cron or non-cron?

ok, as i don't want to make a cron entry on every single machine, i was working on a solution using apple remote desktop. i send a unix command, where it closes port 80 and 21 in the firewall. the only problem i get into here is, that with the ipfw command i have to use sudo, and then it would prompt for the password... but i don't have the possibility to enter the password over ard !!???!!! *arrrrgh*

another possibility would be, copying over the existing config file for the firewall. but that would imply that i know where the config file is in the file system? maybe anyone has a hint on this!

chris

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
uuuups.

edited the comment by accident... Wink

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist

chris501's picture
Offline
Joined: Apr 5 2005
Posts: 232
update

ok, so far i'm using the apple remote desktop method. i'm able to do the unix command over the net using the root user's rights. works so far, i'm able to open and close ports in the firewall, it is really working perfect without the user noticing anything...

...BUT: how can i make this whole process scriptable? at the moment i'm as far as this:


tell application "Remote Desktop"
activate
end tell

tell application "System Events"
tell process "Remote Desktop"
click menu item "Gesicherte Vorgänge anzeigen" of menu "Vorgang" of menu bar 1
This is where the selection should be done
end tell
end tell

quit application "Remote Desktop"

-- Dialogfeld öffnen
display dialog "Internet ist AUS" buttons {"OK"} default button 1 with icon 1 giving up after 3

that means, i'm opening ard and going to the saved actions, where i have one called "internet off" and another one called "internet on". but how do i choose one of them out of the list???

__________________

PM G5 1.8GHz SP / PB 12" 800MHz / Acer 3.0GHz HT / Compaq 386@25MHz / Apple Certified Technician & Help Desk Specialist