[03:38] Evening all [03:40] hi sbalneav [06:23] Good morning === tester123 is now known as hehehe [10:59] hey folks, Ive been tasked at work with finding a good local side http filter... u guys know of anything? [11:15] nubae|work, https://launchpad.net/gchildcare could be a good point [11:15] but I think its not functional nowadays [13:44] dansguardian does local http filtering [13:44] you'll need to install a proxy [13:47] looks like some work is being done here too: https://launchpad.net/webcontentcontrol [15:08] mhall119|work, how would that work... I mean in this case that kids are all getting laptops, and when they are outside school their content needs to be filtered too [15:09] so could one install a local dansguardian for this purpose? [15:09] Morning all [15:10] hi sbalneav [15:10] do u know of a good way to filter local content (ie, no server side proxy based filtering a la dansguardian? [15:12] Well, apart from the fact that I'm morally opposed to the idea of filtering, I'd say install dansguardian locally, and then set up transparent proxying. [15:12] Or are by local you referring to file:// urls? [15:14] nubae|work: dansguardian and a proxy server would both be running on their laptops [15:15] point system and FF proxy settings to the local proxy server port, hook the proxy in with dansguardian (tutorials on this available online), and you're good to go [15:15] Usually, if you don't want someone to get around the proxy, you have to use transparent proxying with iptables redirects. [15:15] iptables is the best way to go [15:15] you can have iptables send traffic through the local proxy and dansguardian [15:15] transparently [15:17] Of course, if the kid's smart enough, they can set a forwarder on a non-standard port to an external proxy... :) [15:17] nubae|work: http://linux.com/archive/feature/113733 [15:17] sbalneav: iptables can route all traffic through the transparent proxy [15:17] sbalneav, I've done this before but usually for a server side environment [15:18] mhall119|work: What, forward EVERY port not in use otherwise through the proxy? [15:18] mhall119|work, thanks, I'll give it a go [15:18] sbalneav, actually its just forward all traffic to port 80 [15:18] and/or port 443 [15:18] yeah [15:18] works quite well [15:18] used that setup at the school I worked at [15:19] so what happens if the kid starts up an ssh forwarder from the local box to an external proxy on port 8080, say? [15:19] but here at guadalinex... government is giving laptops to all the kids, and they dont wanna be caught by the press giving access to dangerous material when the kids go home [15:19] traffic goes to port 80 [15:19] iptables reroutes everything [15:19] No, traffic does NOT always go to port 80 [15:19] on the server [15:20] u force it to with iptables [15:20] but this might not work locally [15:20] agreed [15:20] ssh port forwarding still goes through the kernel, yes? so those packets still get trapped by iptables, yes? [15:20] no [15:21] no? [15:21] no on which? [15:21] You're only forwarding port 80 [15:21] What happens if the kid sets up a forwarder to, say, port 6566 [15:21] sorry.. totally explainedn it wrong... here is the rule: iptables -t nat -A PREROUTING -p tcp -i $INTIF -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 8080 [15:21] so everything from 80 goes to 8080 which is dansguardian [15:22] Sure. [15:22] it wont work [15:22] if dansguardian is not running, no net access [15:22] so it must go through [15:22] ssh -D 9999 my.home.box [15:23] set ff proxy to go to port 999 [15:23] http:redtube.com [15:23] done [15:23] nope [15:23] iptables won't let the traffic through [15:23] right [15:23] How so? Traffic's not going over 80 [15:24] only dansguardian packets are allowed out [15:24] it's going over 9999 [15:24] sbalneav: you block all outbound traffic from the filtered user [15:24] ah, well if you're going to do that, then fine. [15:24] the user can _only_ access the local dansguardian [15:24] and _only_ dansguardian can access the rest of the internet [15:24] But that's going to break other things you might want to do. [15:24] such as? [15:25] Videoconferencing, f'rinstance [15:25] right thats what dansguardian does... well... usually linked to squid [15:25] well u make a special rule for that [15:25] sure. [15:25] like for port 443 [15:25] and such [15:25] and if you're not running videoconferencing, then that's an open port [15:26] ssh -D $VIDEOCONFERENCEPORT myexternalhost [15:26] right... but still since its not coming from port 80 [15:26] dansguardian ignores it [15:26] as webpage [15:26] dansguardian doesn't enter into it if they're running their own proxy via ssh [15:26] but iptables does enter into it [15:27] but we just said: it's an open port [15:27] here is a diagram: http://dansguardian.org/?page=dgflow [15:27] you can probably open it only for specific destinations [15:28] so, you can videoconference with skype, but not my.home.box [15:29] Sure. And when skype changes their IP addresses on you, then you've got 20,000 laptops borked. [15:29] yeah its only vallid for the network u set in iptables I guess [15:29] ah, no one said it was perfect :-) [15:29] or require that videoconferencing go through the proxy just like web traffic [15:29] yeah thats whats done with 443 content [15:29] send it through the filter [15:29] But whatever. Personally, I favour education, and a sound policy with clear consequences. But carry on. :) [15:29] I agree [15:30] sbalneav, I agree wholeheartedly [15:30] to a point [15:30] but this is work... [15:30] I'm forced to do this [15:30] Sure. [15:30] my 5 and 4 year old's computer has filtering, not because I don't trust them, but because I don't trust the internet [15:30] Best web filter I ever installed was the one I put in my kids mind. :) [15:30] they won't be browsing for porn, but that doesn't mean they won't run across it [15:30] sbalneav, mhall119|work 's view applies there though still [15:31] anyway, mhall119|work where did u see that doc...? on dansguardian's pages there is a link [15:31] but its broken [15:31] oh wait, u pasted above [15:31] never mind [15:32] http://dansguardian.org/?page=documentation there's several other HOWTOs here too [15:32] I'm going to work on improviding the dansguardian package for Qimo 2, so if have any ideas for making it easier/better let me know [15:35] might make a dansguardian-local-filter metapackage that depends on a proxy and does the configuration during install [15:35] nubae|work: Does work, BTW, have a good "introduction to the internet" course for the kids, that talks about the things they might encounter, along with a clear enunciation of the school's policy and outlining of the consequences, together with a brocure/manual for the parents that needs signing off? [15:35] My school didn't :( [15:36] mhall119|work, u could add a section to linux-for-education.org for Qimo [15:36] sbalneav: I'd love to see a school capabale of doing that accurately and honestly [15:37] nubae|work: s/could/should/ [15:38] mhall119|work, well, I have to document everything here at work, though it will be in Spanish :-) [15:38] mhall119|work, u're right.... you SHOULD add a section for qimo [15:38] google translates [15:38] even if it includes just one course [15:38] might entice others to add to it [15:39] nubae|work: I've passed on your request to #ubuntu-us-fl, and my wife is going to pass it along to her English teacher friends [15:39] Well, and that's currently a problem. I appreciate that the filtering's needed. The problem comes in that no matter WHAT you do, they'll be a way around it. You'll forget an iptables rule. dansguardian will have a bug. Something. Then it blows up into a huge mess in the media, like it did in my division, because they didn't have the POLICY and EDUCATION bit in there, and were relying solely on the technology to do it right. [15:40] sbalneav, thats a very good point... can u point me to that policy doc? [15:40] * nubae|work tries to keep his ass covered [15:40] No, that was the problem: they didn't HAVE one. [15:40] nobody I know of HAS one [15:40] right, but u said u have one now that u showed to your kid, no? [15:40] However, there *are* some good docs out there. We've got one at work. [15:40] at least, not a good one [15:40] nubae|work: No, I laid out my *OWN* policy to my kids :) [15:41] mhall119|work, u should see the links are now fixed btw [15:41] no more pointing to nubae.selfip :p [15:41] my college's internet use policy states that _all_ downloads of music and video from the internet is illegal [15:41] nubae|work: cool [15:41] mhall119|work: Even CC music? [15:41] i.e. jamendo, etc? [15:41] sbalneav: those writing the policy were evidently unaware [15:41] that's the problem [15:42] the information is either not enough, or too generalized [15:42] well, they probably figured... open source music doesnt exist [15:42] therefore its all illegal since its all copyrighted [15:42] I'm not sure they'd even recognize an Ubuntu torrent as legal [15:42] Might be interesting if edubuntu actually wrote *UP* some boilerplate policy's for schools to consider/modify for their own use. [15:43] sbalneav: fabulous idea [15:43] now you just have to find someone with enough time to do it [15:43] thats like a teacher I overheard in a school once telling her students... now children.... what does this symbol mean (c) ? [15:43] And, interestingly enough, I work with lawyers who owe me favours. [15:43] it means dont touch... illlegal she said sternly [15:43] what?!? [15:43] to which I couldn't resist interjecting [15:43] mhall119|work: Dude, I *never* suggest something should get done that I'm not willing to take on myself. [15:44] I'll have a look at it. [15:44] and she said defensively... I know... but they won't understand if I explain it another way [15:44] I was like... [15:44] sbalneav: put up a wiki page and we can start with a list of topics to cover, and an outline [15:44] mhall119|work++ [15:45] probably the best thing to start with is defining an audience, and what we want to convey to them [15:45] ie, do we want/need to discuss the licensing issues that make some content legal and others not [15:45] or, do we just want to say they they are responsible for obtaining permission to download any content so that it is legal [15:46] For a boilerplate, that would be best. [15:47] okay, so wiki sections for Audience, Intent of Message, and then list topics to cover [15:47] A school may decide even if something's LEGAL to download (i.e. CC licenced music) they don't WANT the kid to do it, as it may fill up the hard disk, etc. [15:47] from there we can pick which topics we want and start an outline [15:47] sbalneav: I think any technical issues like that are best left to individual institutions [15:47] Right. [15:48] And we should note that in the boilerplate. [15:48] the network/computer admins are usually smart enough to define those at leastt [15:48] i.e. (in red) "Insert your schools' techinal policy on media here" [15:48] Ideally, I'd like this to be something I can included with the computers I give away, which aren't necessarily associated with a school [15:49] many charities might like that [15:49] Even if we simply DEFINE the things they should THINK about in a policy, that'd be a help. I.e. content filtering, consequences of bypassing controls, licensed media, installing non-school supplied programs, etc. [15:49] Sure. [15:50] so what would u call that kind of document? [15:50] Well, a policy template, or a policy checklist, one supposes. [15:53] End User Licensing Agreement [15:53] hehehe (lol) [15:54] but would it be a Usage policy Agreement? [15:54] that's a sure fire way to make sure nobody ever reads it, or follows it [15:54] hehe... I can see it already... we're gonna get all parents to sign the UPA [15:55] well, we can force parents to read the thing if they want their kids to use the computer on the net at home [15:55] not a bad idea, really, make the parents agree that they are ultimately responsible for their kid's activities [15:55] so... computer detects its on a nonschool network, up comes the policy [15:56] and it stays there for a reasonable amount of time, + scroll down they must to hit accept [15:56] even force it to scroll down real slow [15:56] we already have a liability waiver we make parents sign when we give out computers [15:56] so like it scrolls slow enough that its more boring not to read it, than to wait [15:57] sorry, than to pay attention to it [15:57] nah, just make it a precondition to giving them the computer in the first place [15:58] that's how I do it [15:58] This sort of thing's important, IMHO, since a well written policy can/should cover off instances where the technology fails for one reason or another. [15:58] Hm [15:58] You don't want to take responsibility for what your kid does on this computer? Fine, they don't get it [15:58] I'm working on revamping the handbook, wonder if it should be a section in that. [16:00] mhall119|work, try that with 750,000 netbooks ;-) [16:00] * nubae|work works on Guadalinex-edu used by 3500+ schools [16:01] and we are currently giving, courtesy of our friendly government a laptop to every child in Andalucia (our autonomous region) [16:01] hence the filter stuff [16:02] but I like the idea of a policy... it should indeed be there, at least so our asses are covered, should the parents/kids bypass whatever system is put in place for content filtering at home [16:03] in other words, the parents should be able to easily read it should they want to [16:04] nubae|work: ur doing filtering ? [16:05] i'm looking for a good filtering solution [16:05] Ahmuck, right now I'm doing filtering yes [16:06] if I dont find a good filter, I'll pick up willowng (a discarded python project) and work on that [16:06] in other words, if the local dansguardian/squid method doesnt work [16:18] dansguardian is a pay product iirc ? [16:21] nope [16:22] they may offer a pay proxy service, but the software itself it free [16:31] hi Svenstaro [16:31] Heyo [16:31] mhall119|work: so without the proxy service, how does that work ? [16:31] Ahmuck, squid = proxy [16:31] Ahmuck: you run the proxy locally [16:32] squid = free [16:32] hrm, ok [16:32] or what mhall119|work said [16:32] (grin) [16:32] yes, but doesn't dansguardian offer a "black list" ? [16:32] sure, u can use tht [16:32] that [16:32] that part is free [16:32] I'm not sure what you guys are talking about but if you want to black list sites per topic automatically, I can recommend using opendns [16:32] its free as well, dansguardian itself has a weird license that makes it undistributable though [16:33] but you can use it [16:33] Svenstaro: i'm using opendns and it'll never work for an edu system [16:33] ugh, opendns [16:33] Uh, whats wrong? [16:33] well, bing for one is not allowed [16:33] That is a good thing [16:33] it breaks the dns protocol [16:33] but there are plenty of ways to work around it [16:34] So what else doesnt work? [16:34] also... what happens to www.wellknowndomain.com/subfolder/offensivematerial? [16:34] u block all of wellknowndomain? [16:34] I don't about the OpenDNS policy there [16:34] It's just a DNS service after all [16:36] well, its a reason why its not a good solution... u cant block subfolders, or if u do, u end up blocking whole domains (imagine blocking all of yahoo, becuase there are offensive pages on it somewhere [16:36] deviantart is one of the blocked domains [16:36] deviantart has some good art, and some "off color" art as well [16:37] photos, etc. [16:37] yeah they have to make a tradeoff... a bad one [16:37] if it contains just a little bad stuff... block it [16:38] anyway... think the way to go is what mhall119|work posted Ahmuck:- [16:38] google images is another one [16:38] which is why i think bing is blocked [16:38] and if you've used bing, it's a resonable search enging [16:38] https://launchpad.net/webcontentcontrol [16:39] until either gchildcare or willowng is ready [16:39] mhall119|work: endian firewall, ipcop, and smoothwall do transparent proxies and have blocking capabilites [16:39] Which option blocks deviantart? [16:39] I don't mind Yahoo being blocked though [16:39] Ahmuck: I'll add them to my list [16:39] opendns blocks deviantart [16:39] No, which option? Adult? [16:39] Ahmuck: do they do content-based filtering? [16:40] yes, based on blacklists [16:40] but blacklists of whole domains [16:40] they have squid built in [16:40] so i put them between me and the inet [16:40] Ahmuck: dansguardian does content-inspection [16:40] so www.wellknowndomain.com/subfolder/offensivematerial will be blocked [16:40] squid built in? how does that work.. u need a local cache, not a remote one [16:40] even if all of www.wellknowndomain.com isn't [16:41] http://www.copfilter.org/ [16:41] squid is a part of ipcop upon installation [16:41] ah ok [16:41] I misunderstood, thought u meant it was part of opendns [16:41] iirc [16:42] Can you recommend copfilteR? [16:42] I'm using IPcop anyway [16:43] Thought copfilter did virus stuff only [16:43] if you have the processor and the memory [16:43] copfilter takes a lot of memory [16:43] cause it's looking at everyting [16:43] I know [16:43] u might consider endian. these are already built in [16:43] A 2ghz something with 2GB should be ok [16:44] however, i was never able to get endian working [16:44] What's endian? [16:44] I really want to keep using IPCOP :) [16:44] a word of warning, i put it on an older machine and decided to purge it, ended up having to re-build my ipcop machine. so you'll want to save a configuration to disk before you change to copfilter [16:44] endian is a branch from ipcop [16:44] smoothwall --> ipcop --> endian [16:45] http://www.endian.com/en/community/ [16:45] ipcop is a branch off of smoothwall [16:45] Ohh [16:46] Is IPCop sucky now and I didn't notice or why did they branch it? [16:47] Ugh, endian has "commercial" written all over it. I don't mind commercial or proprietary stuff, but when it jumps into your face and tries to rip your eyeballs out, that's usually a bad sign. [16:48] shorewall rocks... [16:48] or rocked... [16:49] now just use ufw [16:50] ufw? [16:50] uncomplicated firewall [16:50] Isn't that a desktop firewall? [16:50] So, if anyone's interested in some "do-it-yourself" work, as my "new" role as sabayon-upstream developer, I've been working on adding one of our most desired features: profile application by group. [16:51] SHould you be interested in following the action/hilarity/blundering, my git repo's at: [16:52] http://github.com/sbalneav/sabayon/tree/master [16:53] http://www.cafepress.com/cp/moredetails.aspx?productNo=393885992&colorNo=-1&pr=B&showbleed=false&tab=1&Zoom=1 [16:53] sysadmin day - one day is not enough ! [16:54] endian has all the "stuff" added in. they started out as community and then branched the community to commercial/community [16:55] Svenstaro, what is a desktop firewall? [16:55] smoothwall is the same, commercial/community [16:55] Somethign that is not a server firewall, with GUI and stuff like that [16:55] surely if it runs as a daemon there is no distinction [16:55] then no [16:55] ipcop grew out of smoothwall's decision to take it commercial [16:55] but it does have a gui for it if u want to use it [16:56] there is no such thing as a desktop firewall though [16:56] that would imply it only ran with a gui, and couldnt run in the background [16:57] * nubae|work notes himself becoming nitpicky... :-) [16:57] * ogra whacks nubae|work for being so german today :P [16:58] ufw is just a frontend to the kernels firewalling thats supposed to improve usability ... [16:58] i.e.: ufw enable masquerading from eth0 to eth1 [16:59] isss veeery niiice [16:59] :-) [16:59] would at some point enable everything thats necessary to have masquerading between the two interfaces ... no hoops to jump thought no complicated syntax [16:59] its not there yet, it does a lot already but not everything [17:00] (especially not masqeurading :P ) [17:00] what Svenstaro was pointing to was gufw ... which is the gui for ufw ... [17:00] I see [17:00] masqeurading as in a different mac address ? [17:01] but that calls the ufw commands in the backend [17:01] I usually do masquerading and interface forwarding by hand so that might come in handy [17:01] right, gufw will have something like the "internet connection sharing" checkbox in windows at some point ... [17:02] and the cmdline variant should be as easy [17:02] "at some point"? It's extremely trivial to do [17:02] its trivial to do it somehow ... the devs want to do it perfect ;) [17:02] Set source and end interface and enable IP forward and that's it [17:02] * nubae|work thought it already had that [17:03] it does [17:03] Anyhow, I wanted to ask, how is Edubuntu currently? I went away for a bit because I was both busy and I wanted to wait until you had sorted out the issues that somehow we couldn't agree on. [17:03] not in the way its supposed to be in the end, but yes, you can already enable masquerading easier than hacking in iptables rules [17:04] edubuntu is just coming to life again lately after being unmaintained for quite some time ... LaserJock, stgrabe and highvoltage made some effort to get up the intrest again [17:05] though apparently nobody tested the images for todays alpha5 release [17:05] ogra: that's because our seeds aren't right yet [17:05] ah [17:06] ogra: LaserJock tried to get them right in time but it didn't work out [17:06] sad ... but there is always A6 [17:06] lol [17:06] ogra: it's going to be very tight [17:06] hmm.. shouldnt be loling.... [17:07] highvoltage, well, its your first release after the reorganization ... [17:07] ogra: I thought that the full install disc should have waited for karmic+1, but the overwhelming response was that edubuntu is useless as an add-on disc and that we should go for broke [17:08] well, up to you guys :) [17:08] i think getting enough testers will be hard with DVD size ... but you'll see [17:08] oh wow, I didnt know it was going to be a distro again [17:08] ogra: I think it would be really cool if we can pull it off. I trust LaserJock and he got the seeds close to being sorted out, I think we can make it for the 6th alpha. [17:08] * nubae|work gets enthusiastic [17:08] highvoltage, well, you have to [17:09] ogra, there's been a lot of people involved [17:09] ogra: it was hard getting testers with a 300MB iso even [17:09] yes [17:09] Ahmuck, will they help testing regulary if they have to do a 6h download ? [17:09] ogra? [17:09] DVDs are quite different [17:10] well even with my slow bandwidth rsync is fast [17:10] rsync? [17:10] even the ubuntu DVDs are usually released later because they are so big [17:10] i don't mind testing [17:10] Ahmuck: we'll take you up on that [17:10] or zsync [17:10] heh :) [17:10] hey, me too... [17:10] nubae|work, yeah, we switched everything to zsync in karmic [17:11] btw... right now guadalinex is based on ubuntu... [17:11] nice, I like zsync [17:11] it always was [17:11] but even so, i think you devalue the community by stating a select group of users are the reason edubuntu is coming alive again. [17:11] but it could be based on edubuntu [17:11] indeed [17:11] ogra, u talking to me? [17:11] yes [17:11] well it wasnt always no [17:12] sure [17:12] it was based on debian first [17:12] nubae|work: at the last uds they said they would use straight edubuntu if we can solve their menu problems, which is kind of done [17:12] huh ? [17:12] server version still is actually [17:12] * ogra wonders what he did in sevilla the last years then [17:12] yup... then it was based Guadalinex... which is not the same as guadalinex-edu [17:12] this was in 2003 [17:13] first year only [17:13] oh, 2003 [17:13] indeed there was no ubuntu back then :) [17:13] :p [17:13] proof!! [17:13] lol [17:13] since i was involved in edu in ubuntu i was always working with these guys ... [17:13] i dont know about the time before my time [17:14] gosh am i ignorant :P [17:14] anyway, guadalinex itself is pretty shitty [17:14] and guadalinex-edu is supposed to be based on it [17:14] but its not [17:14] its based on ubuntu direct [17:14] yeah [17:14] i know the problem [17:15] but they improved [17:15] yeah, politicians like to take pictures every once in a while with guadalinex [17:15] it used to be the case that they took the released version and trew stuff and hacks on top [17:15] but I think other than the discs they use in the pictures [17:15] its unused [17:15] *threw [17:15] yeah [17:15] they synced up their releases [17:15] problem of any distro based on a distro [17:16] yep, smartest move ever [17:16] so they can do their work in ubuntu instead of on top [17:16]