Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Help filtering internet access

+PAX


Greetings all, and a Merry Christmas!


We're a small monastery. And due to this, we need to implement some Internet filtering. Unfortunately, it's not the basic kind of filtering. Frankly, I'm not sure that all of what we're looking to do can be done. But I'm at a loss about where I can look for this information.


At the moment, we've got a basic network, that you'd find a family home: DSL modem-router, a bunch of Ethernet hubs, and a whole bunch of cables.

The computers are mainly running Fedora Linux. There are 3 windows statioins, and 2 OS X stations.


The perfect solution is to be able to have 1 network, where there are 2 or 3 rooms where the Internet is accessible. And, those who have laptops, that they can bring their laptop to these rooms, and have Internet access, but NOT have access while connected to the network in other places. (Complicated, I know).


If that's not possible, ok. (Frankly, I don't think it is, but am very open to suggestions).


What really do need is to be able to allow an Internet connection, restrict bascially all web-surfing, while allowing e-mail, skype, and updates. The updates are my biggest problem. We already have a rule established on the modem-router that blocks surfing activity at night, but still allows e-mail and skype. Yet, this rule also blocks the apple AppStore updates.


So, I'm wondering if we get OSX server, would this help the situation? Where can I get more info about OSX server's filtering capabilities?

If we can't establish all the blocking that we need, then it'd be great if we could have some type of report of each person's activity.


Thanks for the help!

MacBook Pro, OS X Mavericks (10.9), 2,8 GHz i7, 4 GB DDR3

Posted on Dec 26, 2013 2:40 AM

Reply
Question marked as Best reply

Posted on Dec 26, 2013 7:30 AM

IMO, OS X Server won't be a good solution as a network filter. It might be useful here, but it very likely won't be your most appropriate choice as a network-gateway-router system.


FWIW, I'd suggest pursuing this in a Fedora-focused networking forum, in general. This given that's your most common platform.


Assuming wired networks, you can divide up the access via managed switches and a VLAN, or via physical network segmentation. WiFi is somewhat harder to segment, short of having a guest network and a private network; you'd need access points (APs) with two networks configured, one of which allows a little more access, and the other that's presumably restricted to the local IP address space.


There are gateway routers around which allow several different segments to be maintained, but they're generally starting in the ~US$250 range and upwards, and usually expect a little more knowledge of IP networking and related topics than the residential routers that are in common use.


Here is Apple's network port list.


As for the updates, OS X Server can cache those, as can the Reposado tool on a Fedora system.


A common solution involves a web proxy filter, where all connections must pass through that device. The connections used for the OS X Server or Reposado server itself to download updates would need to be programmed to allow access, but the other local OS X clients could be aimed at the local server. In your case, your filter can block all outbound connections to TCP 80 and TCP 443 entirely, save for the specified servers loading updates from their respective upstream sources.


Email is fairly easy, as you'll probably want to block outbound TCP 25, but allow POP via SSL and IMAP via SSL and allow the submission ports (TCP 486 and TCP 587).


Now for the somewhat bad news: these general approaches can often be bypassed using VPNs and tunnels, so somebody that's knowledgeable can generally get around simple-minded network filters. Which means you can end up blocking more than a little outbound traffic; more than TCP 80 and TCP 443.


Now for somewhat more bad news: Skype uses TCP 80 and TCP 443 (or requires a whole lot of open ports), and specifically to work around filters and blocks and firewalls and related "defenses". Whether you can get that to work by excepting the supernodes, I don't know.


I'd probably sort out what you do and do not want to allow access to as a more general problem, as getting an update server into a DMZ with exceptions enabled is a comparatively small problem — once you achieve the sorts of network blockages you're seeking. None of this stuff is particularly specific to OS X or OS X Server, either.


This configuration will probably involve installing a network gateway with internal filtering capabilities and a network nanny implementation, as well as some work on the internal network configuration. That may well be possible with Fedora, DD-WRT, Tomato or some other similar open source (it's likely best to ask for discussions and tradeoffs of those options elsewhere), and can be implemented with a commercial offering. Your needs here are probably even a little simpler in some ways, as you want and need just a few web connections.

2 replies
Question marked as Best reply

Dec 26, 2013 7:30 AM in response to rminot

IMO, OS X Server won't be a good solution as a network filter. It might be useful here, but it very likely won't be your most appropriate choice as a network-gateway-router system.


FWIW, I'd suggest pursuing this in a Fedora-focused networking forum, in general. This given that's your most common platform.


Assuming wired networks, you can divide up the access via managed switches and a VLAN, or via physical network segmentation. WiFi is somewhat harder to segment, short of having a guest network and a private network; you'd need access points (APs) with two networks configured, one of which allows a little more access, and the other that's presumably restricted to the local IP address space.


There are gateway routers around which allow several different segments to be maintained, but they're generally starting in the ~US$250 range and upwards, and usually expect a little more knowledge of IP networking and related topics than the residential routers that are in common use.


Here is Apple's network port list.


As for the updates, OS X Server can cache those, as can the Reposado tool on a Fedora system.


A common solution involves a web proxy filter, where all connections must pass through that device. The connections used for the OS X Server or Reposado server itself to download updates would need to be programmed to allow access, but the other local OS X clients could be aimed at the local server. In your case, your filter can block all outbound connections to TCP 80 and TCP 443 entirely, save for the specified servers loading updates from their respective upstream sources.


Email is fairly easy, as you'll probably want to block outbound TCP 25, but allow POP via SSL and IMAP via SSL and allow the submission ports (TCP 486 and TCP 587).


Now for the somewhat bad news: these general approaches can often be bypassed using VPNs and tunnels, so somebody that's knowledgeable can generally get around simple-minded network filters. Which means you can end up blocking more than a little outbound traffic; more than TCP 80 and TCP 443.


Now for somewhat more bad news: Skype uses TCP 80 and TCP 443 (or requires a whole lot of open ports), and specifically to work around filters and blocks and firewalls and related "defenses". Whether you can get that to work by excepting the supernodes, I don't know.


I'd probably sort out what you do and do not want to allow access to as a more general problem, as getting an update server into a DMZ with exceptions enabled is a comparatively small problem — once you achieve the sorts of network blockages you're seeking. None of this stuff is particularly specific to OS X or OS X Server, either.


This configuration will probably involve installing a network gateway with internal filtering capabilities and a network nanny implementation, as well as some work on the internal network configuration. That may well be possible with Fedora, DD-WRT, Tomato or some other similar open source (it's likely best to ask for discussions and tradeoffs of those options elsewhere), and can be implemented with a commercial offering. Your needs here are probably even a little simpler in some ways, as you want and need just a few web connections.

Help filtering internet access

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.