networking - how can i shut down internet access ...

21 posts / 0 new
Last post
chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
networking - how can i shut down internet access ...

hello out there!

hope someone's a genius and can help me with that issue. first, let me explain what i'm trying to do:

i have a couple of classrooms fitted with iMac's. all of them have access to the internet over ethernet connection. what i want to do is, find a simple and easy solution how you can cutoff the internet access for a specific classroom. only internet, ethernet should still work though. i was thinking about a solution using a router in every classroom, but i'm not quite sure how to accomplish a fast cutoff (without having to connect to the router, then manually clear several ports, then open them again for browsing)...

ideas, anybody?

thanks, chris

Offline
Last seen: 11 years 7 months ago
Joined: Jan 28 2005 - 17:56
Posts: 170
disable any internet browser

disable any internet browser for the student accounts...

Offline
Last seen: 18 years 5 months ago
Joined: May 24 2005 - 18:12
Posts: 61
On my home router, we have a

On my home router, we have a internet in port, and the software on the router has the ability to allow, or allow during certain times, internet by ip address.

David

The Czar's picture
Offline
Last seen: 13 years 2 weeks ago
Joined: Dec 20 2003 - 10:38
Posts: 287
Port 8080

Can you just disable port 8080? That's what most http transfers go through, IIRC.

Cheers,

The Czar

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
disable port...

yes, of course, that would be possible. but it would mean that i have to connect to the router everytime i want to cutoff internet for the students.

i was searching for a "one (or maybe two) button solution" or something like that. if it's not possible, i will use the connect-to-router option anyway...

to fynch: i don't want to shut it off permanently, so this is not an option. it's just that i don't want them to browse while the teacher is teaching...

cheers, chris

BDub's picture
Offline
Last seen: 2 years 3 weeks ago
Joined: Dec 20 2003 - 10:38
Posts: 703
Re: Port 8080

Can you just disable port 8080? That's what most http transfers go through, IIRC.

Cheers,

The Czar

Port 80 is for the HTTP protocol. Port 8080 is what a lot of people use to host web servers when their ISP blocks incoming port 80 connections, as a way to ensure that people aren't running webservers off consumer lines.

-BDub

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
ah, ok...

...so that means i'll have to block both of them or what? or is only the port 80 interesting in my case?

chris

Offline
Last seen: 15 years 1 month ago
Joined: Feb 10 2004 - 21:41
Posts: 208
Re: ah, ok...

...so that means i'll have to block both of them or what? or is only the port 80 interesting in my case?

chris

Ports 80 (http) and 443 (https) are usually the only concern. Port 8080 is usually used by proxy servers, or kiddiez that want to run web servers on RoadRunner or Comcast (who often use port 8000 as well).

In this case, blocking 80 and 443 will do fine.

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
thanks for your help...

...i've been looking on the web for a solution to this, but it seems that i'll have to stick with the router thing. anyway, thanks a lot for your help and support!

dankephoto's picture
Offline
Last seen: 9 months 1 week ago
Joined: Dec 20 2003 - 10:38
Posts: 1899
maybe a smarter router?

How about using a 'puter as a firewall, there's gotta be some very flexible routing sw that can be configured to block or pass ports based on the time of day, perhaps something from Sustainable Softworks?. Or perhaps one of the fancy router makers (like Cisco) has something that'll do what you want.

What kind of budget have you got, and how many separate 'zones' do you need to configure? What other services must remain available while inet access is disabled? You can't just pull the classroom plug for the duration of class?

How about having separate logins for inet access? That way you could control which apps are available during class.

Sadly, I know no specific solutions, but I know there's gotta be something that fits your needs.

dan k

Offline
Last seen: 15 years 1 month ago
Joined: Feb 10 2004 - 21:41
Posts: 208
...

you could get the Prismiq commander ( http://www.prismiq.com ), as your router (it has WiFi but you can disable it) and just get all big-brother on them, and punish those who can't stay on task.

I think if you need to lock it down in school, you're going about it the wrong way. At work, a lot of employers won't lock you out of web sites (although it's a growing trend). Preparing these kids for the real world where they ARE CAPABLE of visiting websites when they should be doing something else, is paramount.

If I get caught doing stupid internet stuff at work, I'd get written up. It's all about responsible and on-task use. Punish them when they abuse it, and they will stop.

Jon
Jon's picture
Offline
Last seen: 12 years 10 months ago
Joined: Dec 20 2003 - 10:38
Posts: 2804
I know ax0n has some experien

I know ax0n has some experience here as he works for a (large) college. I'd either recommend the crack-down-and-punish method or a smart router. If you've got the budget, I'd jump for a router than can disable "zones' by time of day, as was suggested below. If you've got a small budget and can't/don't want to setup a computer with the filtering rules, I'd go for the crackdown.

DrBunsen's picture
Offline
Last seen: 9 years 8 months ago
Joined: Dec 20 2003 - 10:38
Posts: 946
Script?

Could you make an Applescript that logs into the router at the appropriate times and does the switchero?

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
had that idea...

...with scripting last saturday. i was fiddling around a bit, and i think with a bit more scripting experience it could be done that way.

however, i will think over it once again. the track-and-punish method is a bit time consuming, but we'll see what i will find on the net...

by the way, as mentioned before it's only about shutting down internet access. the rest of the network functions should work though.

thanks, chris

Eudimorphodon's picture
Offline
Last seen: 3 months 3 weeks ago
Joined: Dec 21 2003 - 14:14
Posts: 1207
IPFW

I have a sleezy suggestion, if your iMacs are all on OS X. Write a script adds or removes the following IPFW rules from your student's machine's firewalls:

(This is assuming all the machines the students need to reach all the time are inside the 10.0.0.0/255.0.0.0 RFC1918 network, and everything else is verboten. In real life you'd adjust accordingly.)

ipfw add 1000 allow ip from any to 10.0.0.0/8 out xmit en0
ipfw add 2000 deny ip from any to any out xmit en0

IPFW is first match, so the first rule will let traffic reach your school network, while the second one stops everything else. To allow traffic again, run this command:

ipfw -q flush

(Of course, if you're actually using the OS X firewall you might want to make it a little more elaborate and use the "set" commands to swap out full rulesets, but you get the idea.)

So how would you turn this on or off all at once? Two suggestions:

1: If the macs all have static IPs, use ssh-keygen to make an entry key to stick in all the machines under a hidden user account. Modify /etc/sudoers to allow that hidden user to run two scripts to bring the rules up and down. Then from your master computer write a little script that on command uses SSH to fire off the firewall up/down command to all the student machines.

2: Write a script in perl/python/whateverfloatsyourboat which can fetch an HTTP URL, read a value out of it, and add or remove the firewall rules based on that value. Stick it in root's crontab on all the student machines, set to run once a minute. Then erect a hidden webpage on an internal webserver somewhere on the school network that you can quickly change based on whether you want internet access or not. (Maybe do a trivial bit of password-protected CGI or PHP which writes "OPEN" or "CLOSED" to a file which the clients then examine.)

(The nice thing about this is it doesn't matter what IPs the student machines have. You could move them anywhere inside the school network and it'd still work.)

There's the nerdy UNIX suggestion, anyway. It's nice in the sense that you don't need to put a router in front of each classrom.

Note of course that if the students have "admin" access they can override this. Also, if they can reboot the machines I'd recommend using the second option in which the machines regularly check whether they should allow traffic or not. Otherwise you might just have the little nippers rebooting right after you send the "close" command.

--Peace

BDub's picture
Offline
Last seen: 2 years 3 weeks ago
Joined: Dec 20 2003 - 10:38
Posts: 703
Re: Script?

Could you make an Applescript that logs into the router at the appropriate times and does the switchero?

If you end up using the router idea, it may be easier to use a series of curl calls instead of an Applescript. That's assuming that it's a web based control panel though.

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
router = no

ok, going back to start again... router is no option, because the responsible person decided a) not to buy a router for every class room and b) not to change the gateway entry on all computers to the router ip.

the ssh method won't work, because we need to have dynamic ip addressing...

damn, i hate it when people tell you to do impossible things with a small budget...

thanks anyway. i'll keep that all in mind and try to convince him of the necessity of a good and clean solution (even if it's not that cheap Wink

Eudimorphodon's picture
Offline
Last seen: 3 months 3 weeks ago
Joined: Dec 21 2003 - 14:14
Posts: 1207
Re: router = no

the ssh method won't work, because we need to have dynamic ip addressing...

You could still do the "have the machines check from cron" method, assuming you have one machine with a static IP you can use as a server.

--Peace

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
cron or non-cron?

ok, as i don't want to make a cron entry on every single machine, i was working on a solution using apple remote desktop. i send a unix command, where it closes port 80 and 21 in the firewall. the only problem i get into here is, that with the ipfw command i have to use sudo, and then it would prompt for the password... but i don't have the possibility to enter the password over ard !!???!!! *arrrrgh*

another possibility would be, copying over the existing config file for the firewall. but that would imply that i know where the config file is in the file system? maybe anyone has a hint on this!

chris

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
uuuups.

edited the comment by accident... Wink

chris501's picture
Offline
Last seen: 14 years 3 weeks ago
Joined: Apr 5 2005 - 04:35
Posts: 232
update

ok, so far i'm using the apple remote desktop method. i'm able to do the unix command over the net using the root user's rights. works so far, i'm able to open and close ports in the firewall, it is really working perfect without the user noticing anything...

...BUT: how can i make this whole process scriptable? at the moment i'm as far as this:


tell application "Remote Desktop"
activate
end tell

tell application "System Events"
tell process "Remote Desktop"
click menu item "Gesicherte Vorgänge anzeigen" of menu "Vorgang" of menu bar 1
This is where the selection should be done
end tell
end tell

quit application "Remote Desktop"

-- Dialogfeld öffnen
display dialog "Internet ist AUS" buttons {"OK"} default button 1 with icon 1 giving up after 3

that means, i'm opening ard and going to the saved actions, where i have one called "internet off" and another one called "internet on". but how do i choose one of them out of the list???

Log in or register to post comments