Broadband-Hamnet™ Forum :: Firmware
Welcome Guest   [Register]  [Login]
 Subject :Feature request: Content filtering and captive portal on mesh gateway.. 2013-09-28- 05:37:51 
KD2BVA
Member
Joined: 2013-06-04- 11:35:04
Posts: 3
Location: Queensbury, NY, USA

I have been debating connecting the mesh to the internet full time with some of the people in my area. I've found 3 major schools of though.

1: it should never ever be connected to the internet (I completely disagree with this)

2: it can be connected but only temporarily in an emergency or for testing purposes (not quite what I'm looking for as an answer)

3: it should be connected at all times

I'm leaning toward the third option there but to get others to change their mind I've had to prove that we can maintain part 97 compliance. To that end I started recreating a simple web content filter (I use large, expensive filter appliances like M86, Bluecoat, and Lightspeed all the time in schools because it's required by CIPA, state and federal aid, and E-rate) on a ubuntu box using iptables, squid, and dansguardian. I have not built the captive portal yet but I plan to using something like nocatauth and some sort of LDAP service. 

I believe this can all be built in to the firmware of the mesh gateway (this is done on DD-WRT regularly) so we don't need a computer between the mesh gateway and the ISP. It would be cool if filter configs and the LDAP DB could replicate automatically between multiple mesh gateways. It would also be good to have the filter's category files update regularly.

So I'm thinking if you enable the gateway mode it configures the use of the content filter and captive portal, and maybe new tabs on the management interface so you can add users by callsign to LDAP, maybe manually link other gateways for synchronization... or find a way to identify other gateways on the mesh and auto sync. 

There should be some basic services that do not require a login so served agencies may use it directly. for instance aprs.fi should be totally open, and perhaps things like skype, facetime, etc. but if you want to do much more on the web you need to login and then certain categories of sites are blocked such as shopping and porn.

I've attached a screenshot of a test of the filter which allows me to google but not playboy.

I (and others I've discussed this with) would very much like to see this built into the next update of the firmware if possible... and I'd love any feedback on the idea.



Attachments
 Filter test.jpg [148 KB] :: Filter test screenshot
IP Logged
Last Edited On: 2013-09-28- 06:18:09 By KD2BVA for the Reason
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-09-29- 16:07:48 
va3idl
Member
Joined: 2013-04-14- 07:22:02
Posts: 23
Location
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

I believe it must be on the net at all times, but for only limited pre-defined number of services allowed with oters banned by default. Don't forget that skype is encrypted, so is a no go. So is https. Then a lot of web sites carry banners which is strictly speaking commercial advertisement. You don't want to carry that over the ham link. Besides I don't really understand why you are willing to identify stations and use LDAP. If playboy is not an acceptable content for ham (btw, why wouldn't it be?), then it is not good for every ham. Why impose authentication?
IP Logged
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-09-30- 09:40:23 
AD7PE
Member
Joined: 2013-09-27- 10:27:39
Posts: 10
Location
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

BBHN is just OpenWRT, of which dd-wrt is a branch. You should be able to get a proxy set up using the openwrt documentation. It appears Squid is available, iptables is already on your node, I'm not sure about dansguardian. Nocatsplash is available, as are a few other splash pages, LDAP may be a stretch. http://wiki.openwrt.org/doc/howto/proxy.overview
IP Logged
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-10-20- 07:11:43 
kv4pc
Member
Joined: 2013-09-30- 20:06:03
Posts: 47
Location: Madison, AL
 
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

Folks:

I think it would be a productive activity to begin listing domains that are unambiguously "Part 97 friendy". Frankly IMHO if we cant figure out how to connect Broadband Hamnet to the public internet for some purposes 24/7 we have failed. In order to keep this from just being a drive by suggestion, I am going to throw out some domains how ever obvious they may be. We have got to start somewhere. I think it would be very good if BBHN eventually added a community-controlled and policed sanity list that could be pointed to by node firewalls on a default basis to automagically cover Part 97 internet access:

ALLOW LIST

aprs.net

aprs2.net

iaprs.net

echolink.org

irlp.net

KD2BVA says that aprs.fi should be totally open. While I strongly agree with the utility of that, I also believe that if we are to make aprs.fi "Part 97 pristine" we need to figure out how to punch out those Ad Choice inserts. Same thing with findu.com. Care needs to be take with this.

73

Bob KV4PC

IP Logged
Last Edited On: 2013-10-21- 06:49:07 By kv4pc for the Reason
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-10-20- 07:54:46 
va3idl
Member
Joined: 2013-04-14- 07:22:02
Posts: 23
Location
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

I just tried to open aprs.fi and see what's going on with those "Ad Choice inserts". It turns out, if you just allow aprs.fi, you get an empty site. Below is a minimum list of domains to allow to make aprs.fi work:

  1. aprs.fi
  2. cloudfront.net
  3. maps.googleapis.com
  4. ajax.googleapis.com
  5. gstatic.com
  6. mt0.googleapis.com
  7. mt1.googleapis.com
  8. googletagservices.com

The website is also requesting googleadservices.com, doubleclick.net and googlesyndication.com which will pull two commercial banners for you, but you can go without them.

My point here is that websites nowadays are often more than just one single domain, they pull parts from all over the Internet (e.g. jscripts and maps from goole, some apps from facebook, etc.), so if you start blocking, things will often stop working.

One other possible approach is to allow (and make sure it works) only ham-related websites without bothering to cut the commercials, or making it fully compliant otherwise. This would be enough to not be interesting for general public, and other hams generally do behave. So as long as there is no conflict or service abuse, there will be no investigation from the FCC and everyone will be fine even when it's not strictly compliant up to the letter.

IP Logged
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-10-22- 04:14:05 
KD2BVA
Member
Joined: 2013-06-04- 11:35:04
Posts: 3
Location: Queensbury, NY, USA
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

Oh yes I'm fully aware of the fact that many sites use multiple domains for content and that it's not quite as simple as saying aprs.fi is open. I was just giving an example. The ads are one of the categories I would set the content filter(s) to block. Blocking some components of a site can end up breaking the layout of some sites... we sometimes have trouble with wikipedia when schools block too many/the wrong categories.

Yes all of this can and should be done. My point with this was to see if it was possible to have it built into the mesh firmware for the next version. Until then I plan on using another solution in-line between the ISP and the internet port on the gateway node(s). This could be one I build from scratch (which I'd like to avoid) or something like pfsense or endian community. I've also talked to one of the eastern US sales reps for smoothwall and may be able to get their software free or dramatically discounted if I'm willing to do a case study writeup... we'll see how that goes.

IP Logged
Last Edited On: 2013-10-22- 04:21:41 By KD2BVA for the Reason
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-10-23- 10:32:59 
KG1L
Member
Joined: 2013-06-28- 12:53:53
Posts: 18
Location: Owings, MD
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

Ultimately, it is the owner of the Internet gateway node who has to keep inappropriate content off of the mesh. For this reason, I do not plan to provide Internet access from my node that could do it. Likewise, the solution should be implemented at the gateway, not on all nodes.

No one should provide complete, unsupervised access to the Internet from his or her node. This is just asking for trouble.

There are ways that the Internet can be used. Each would have its own issues to deal with.

1. Run a email server that can take email from the mesh and route it through the Internet, and vice versa.

2. Run an echolink node that can be accessed from the mesh.

3. Run a proxy server with a white list, and ad stipping scripts (I don't remember what it was called, but I once had a proxy server (browser add-on, maybe) that took an incoming web page and "cleaned it up" before displaying it in the browser.  The clean up was configurable, but it could remove ads of known dimensions (banner ads) and remove tracking devices (1x1 pixel transparent jpegs).

The last one might require modification to the BBHN node software.  The way I understand it, Internet access is provided by the "closest" gateway node.  If you could pick the gateway node, different nodes could offer different Intenet content.

Offering an Internet gateway should not be done without understanding what it means.  It looks like you are asking some of the right questions.  Good luck to you.

 

73 de KG1l
Karl

IP Logged
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-10-26- 05:51:24 
kv4pc
Member
Joined: 2013-09-30- 20:06:03
Posts: 47
Location: Madison, AL
 
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

The node has a firewall service that becomes active if the node WAN port is connected to an external network. It would be easy enough to hook a file from an internet server if the external net happened to be the internet. Once loaded, or at least accessible, the gateway node would have its allow deny config. The outside file could be a community-defined list of services or addresses that meet Part 97 acceptability. If the node is not a gateway, or not on the internet, then the file is not attached.

Individual users could:

a) enable it and live with what is in it

b) amend it up or down to suit personal or immediate needs or satisfy a served agency during an emergency using a local include file.

c) point to something else entirely (think Katrina Remediation effort or the ARRL list or Radio Society of Great Britain list or CQ Magazine's list or...)

d) disable it and exercise personal purely local control.

My thoughts on how to do it.I believe large scale consistency in how internet access controls are implemented could be a key feature of BBHN.

More on scenario (b): Here in Huntsville, after The Tornadoes of April 27 2011 power and most forms of communications were down for over a week. Doctors working at an aid station equipped with ARES volunteers desperately wanted access to online perscription medication information. It proved to be very awkward to pass traffic of this sort by voice. A FEMA satellite truck with open WIFI was operating about 2 miles away. A couple or 3 BBHN equipped cars strategically parked could have connected the docs with their "PDR" information. The nature of the situation was such that would have warrented opening up gateway nodes to let through most anything.

A static and well placed mesh backbone is what we are thinking of establishing locally. A techno-toy under most situations, but "When All Else Fails...", well, you know the rest...

Cheers;

Bob KV4PC

IP Logged
Last Edited On: 2013-10-26- 05:55:29 By kv4pc for the Reason
 Subject :Re:Feature request: Content filtering and captive portal on mesh gatew.. 2013-10-29- 11:10:55 
KD2BVA
Member
Joined: 2013-06-04- 11:35:04
Posts: 3
Location: Queensbury, NY, USA
Subject :Re:Feature request: Content filtering and captive portal on mesh gateway

ok here you go this (or something similar) should be in-line between any/all mesh gateways and an ISP (in this case "green interface" facing mesh, "red interface" facing internet) http://www.endian.com/us/community/download/efw/
IP Logged
Page # 


Powered by ccBoard


SPONSORED AD: