[CS-FSLUG] Locking down a machine in the Church

Ritchie, Josiah S. jritchie at bible.edu
Fri Sep 8 23:01:45 CDT 2006 

> -----Original Message-----
> From: christiansource-bounces at ofb.biz [mailto:christiansource-
> bounces at ofb.biz] On Behalf Of Scott Parks
> Sent: Friday, September 08, 2006 3:39 PM
> To: A Christian virtual Free Software and Linux Users Group.
> Subject: [CS-FSLUG] Locking down a machine in the Church
 
> So, my question is - where do I start and can it be done where I
> force this machine and this machine only to have all traffic
> filtered?  Can
> I simply set up a gateway on a Linux box and tell the WIndows machine
> to use it?  They then could modify the gateway to the high
> speed connection (and yes, they would try something like that).
> 
> Looking for some thoughts.....
> 
> Thank you!

First, I agree with Frank. Teach, don't hinder. That's one of the things
that makes Linux great. 

Now, if I were to do this and it really only need access to one machine,
I'd set a static IP, make sure the students have a limited rights
account and wouldn't set a DNS server. Then, for the few sites this
machine does need access to, I'd set that up in the lmhosts file. This
way they can't resolve anything but what you need to get to and they
can't change that. 

If you have a file server, you could also enforce a policy that stated
all off subnet access much be done from other machines and the needed
files should simply be placed on the file server to be accessed.

An alternate idea is to let them do whatever they want, but install
DeepFreeze and have all storage of files be on a file server. DeepFreeze
is (so far) unbreakable.

Note: If you have a Linux DHCP server, you can set special parameters to
be given out to the machine so you could actually point it to an
alternate DNS server or specify that it has none there or not set a
default route or any number of other things through DHCP so they would
have further difficulty controlling it and you have greater remote
control of the network settings.

The first idea has the added advantage of not needing to setup a second
box with squid and adding complication to the whole mess. Keep It
Simple.

JSR/

More information about the Christiansource mailing list