Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to set up my Fedora machines so that
when a student logs in ALL http/s requests go
thru the proxy whereas when a staff member
logs in they don't.
I want this to be machine wide and not just a
specific browser otherwise I am going to have to
purge the machine of anything browser like
( or they might just bring a browser in on
a memory stick )
All staff members have a username that starts st
and all student have a user name that starts
with the last 2 digits of their year of intake
Both get there authentication and users information
from a OpenLDAP server
well i would say that that's a bad design. why wouldn't a student simply remove the proxy?? all requests should hit the proxy, it should be impossible to reach the internet without doing that. you yourself point to their ability to use a isb stick, and if it's *their* software, it's *their* call if they use a proxy or not.
you do have issues in terms of what will and will not pay attention to a shell level proxy detail. there's a firefox plugin which will utilize http_proxy - https://addons.mozilla.org/en-US/firefox/addon/3896 and if that's cool by you then it's just a modified /etc/profile that you need really:
Students and staff MUST use the proxy
Students must be filtered to proxy policy 1
Staff must adhere to proxy policy 2
Mal and dave/matt/pete/mike in IT can do whatever they want
is it easy in XP? unless you're making deep down firewall system level changes, a browser like firefox needn't pay any attention to group policy at all.
The reason for Fedora is exactly what we are talking about
We have to nail XP machines down so much to prevent
the students doing anything that the parents/governers/LEA/government
may object to it is pretty much useless - then on top of that
we have to 'try' and stop them messing with the machine itself
- we even have to stop right click.
Interestingly having become experts in locking down Windows
machines, Xp and group policies will fail in a 'non-safe' way
if you try hard enough.
Linux offers the chance to improve the computing experience with
out the massive restrictions that a dog like XP forces upon us
We have a competition running to see if the students can break
Fedora and as yet no one has ...but the first thing they did was
launch everything to see if they could get to facebook/myspace etc
well as acid_kewpie said the best way is to setup to policies
one for the students and one for the teachers
squid also has an authentication method which you can put all the teachers username and password in there so that way they can log on with no problems
Also you can also use ip address to restrict who browses and who cant also you can state what website the can go and most important you can deny them view or download pictures music and any thing you what you could have some fun with that i used to
with out picture believe me students wont enjoy browsing if the actually get through to the internet
also you can put you policies in a file and refer to it in squid
But unfortunately i dont have any link to help you configure squid
if you search you should get some
here's a thought, if you *really* wanted to do so, you could acutally use the owner module in iptables to check the gid of the owner of the process wanting the connection. assuming you had seperate groups for staff and students then it would be feasible for the firewall settings on the system (which *couldn't* be bypassed by the user without root perms) to actually do what you want directly, assuming that a transparent proxy would be sufficient (i.e. no authentication / user name tracking) without direct login sessions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.