I have been debating connecting the mesh to the internet full time with some of the people in my area. I've found 3 major schools of though. 1: it should never ever be connected to the internet (I completely disagree with this) 2: it can be connected but only temporarily in an emergency or for testing purposes (not quite what I'm looking for as an answer) 3: it should be connected at all times I'm leaning toward the third option there but to get others to change their mind I've had to prove that we can maintain part 97 compliance. To that end I started recreating a simple web content filter (I use large, expensive filter appliances like M86, Bluecoat, and Lightspeed all the time in schools because it's required by CIPA, state and federal aid, and E-rate) on a ubuntu box using iptables, squid, and dansguardian. I have not built the captive portal yet but I plan to using something like nocatauth and some sort of LDAP service. I believe this can all be built in to the firmware of the mesh gateway (this is done on DD-WRT regularly) so we don't need a computer between the mesh gateway and the ISP. It would be cool if filter configs and the LDAP DB could replicate automatically between multiple mesh gateways. It would also be good to have the filter's category files update regularly. So I'm thinking if you enable the gateway mode it configures the use of the content filter and captive portal, and maybe new tabs on the management interface so you can add users by callsign to LDAP, maybe manually link other gateways for synchronization... or find a way to identify other gateways on the mesh and auto sync. There should be some basic services that do not require a login so served agencies may use it directly. for instance aprs.fi should be totally open, and perhaps things like skype, facetime, etc. but if you want to do much more on the web you need to login and then certain categories of sites are blocked such as shopping and porn. I've attached a screenshot of a test of the filter which allows me to google but not playboy. I (and others I've discussed this with) would very much like to see this built into the next update of the firmware if possible... and I'd love any feedback on the idea.
|