[K12OSN] nat

Terrell Prude', Jr. microman at cmosnetworks.com
Tue Apr 27 23:29:59 UTC 2004

Then your NAT/PAT setup will get ugly, and I wouldn't recommend doing it 
on the K12LTSP server itself, unless you're already pretty darned good 
with iptables.  However, I can think of two much easier solutions to this.

1.)  Have the teachers on standalone GNU/Linux workstations, and then 
they won't be sitting behind a PAT'ing box (the K12LTSP server).  Have 
the kids on K12LTSP servers, though.

2.)  Put all of the teachers on one K12LTSP server, where the "teacher" 
thin clients are on a separate VLAN, and just permanently bypass the 
filter for that specific "teachers-only" K12LTSP server.  Since they can 
bypass the filter anyway at will, you're not losing anything here.


Mark Gumprecht wrote:

> The Bess system is maintained by the Maine School and Library Network 
> (MSLN), they also supply our ip ranges and DHCP. Teachers are assigned 
> override passwords to bypass the filter for research purposes. If I 
> nat all, when a teacher overides the filter for their personal reasons 
> on one internal computer, it would override the filter for everyone 
> because the gateway machine is the only seen ip to the externally kept 
> filter. I can purchase my own filter, but money is not there. I could 
> set up my own, time's a commodity. MSLN already manages the filter and 
> offers it to us at no extra charge. Eventually I will go to my own 
> setup, but that is not possibly at this point. I do transparent proxy 
> by using my sonicwall to forward to my proxy. I watch the  SARG logs 
> to see if there is anybody trying to proxy by the filter by bouncing 
> off their own proxy machine at home. I hope this is not too wordy and 
> that it is what you meant.
> Mark
> Terrell Prude', Jr. wrote:
>> We do content filtering as well, in our case, with Symantec Web 
>> Security (ugh--not my decision).  Tell us more about your Bess 
>> filtering system, how it's set up, are you doing transparent proxy, 
>> and how you believe someone could "override" the filter.
>> --TP
>> Mark Gumprecht wrote:
>>> One hurdle to cross with the admin on LTSP is content filtering. I 
>>> have the bess filtering system setup external to my network. If 
>>> someone overrides the filter on a terminal does everyone get by?  Is 
>>> one-to-one nat the answer?
>>> Thanks in advance.
>>> Mark

More information about the K12OSN mailing list