Re: [K12OSN] nat

["Terrell Prude', Jr." <microman cmosnetworks com>]

Then your NAT/PAT setup will get ugly, and I wouldn't recommend doing it 
on the K12LTSP server itself, unless you're already pretty darned good 
with iptables.  However, I can think of two much easier solutions to this.

1.)  Have the teachers on standalone GNU/Linux workstations, and then 
they won't be sitting behind a PAT'ing box (the K12LTSP server).  Have 
the kids on K12LTSP servers, though.

2.)  Put all of the teachers on one K12LTSP server, where the "teacher" 
thin clients are on a separate VLAN, and just permanently bypass the 
filter for that specific "teachers-only" K12LTSP server.  Since they can 
bypass the filter anyway at will, you're not losing anything here.

--TP

Mark Gumprecht wrote:

> The Bess system is maintained by the Maine School and Library Network 
> (MSLN), they also supply our ip ranges and DHCP. Teachers are assigned 
> override passwords to bypass the filter for research purposes. If I 
> nat all, when a teacher overides the filter for their personal reasons 
> on one internal computer, it would override the filter for everyone 
> because the gateway machine is the only seen ip to the externally kept 
> filter. I can purchase my own filter, but money is not there. I could 
> set up my own, time's a commodity. MSLN already manages the filter and 
> offers it to us at no extra charge. Eventually I will go to my own 
> setup, but that is not possibly at this point. I do transparent proxy 
> by using my sonicwall to forward to my proxy. I watch the  SARG logs 
> to see if there is anybody trying to proxy by the filter by bouncing 
> off their own proxy machine at home. I hope this is not too wordy and 
> that it is what you meant.
> Mark
>
> Terrell Prude', Jr. wrote:
>
> > We do content filtering as well, in our case, with Symantec Web 
> > Security (ugh--not my decision).  Tell us more about your Bess 
> > filtering system, how it's set up, are you doing transparent proxy, 
> > and how you believe someone could "override" the filter.
> >
> > --TP
> >
> > Mark Gumprecht wrote:
> >
> > > One hurdle to cross with the admin on LTSP is content filtering. I 
> > > have the bess filtering system setup external to my network. If 
> > > someone overrides the filter on a terminal does everyone get by?  Is 
> > > one-to-one nat the answer?
> > > Thanks in advance.
> > > Mark