wireless MAC record-keeping for URLs

We've got a portable satellite Internet connection that we'd like to share wirelessly at several remote events this summer. All Internet traffic passes through a Linux box, so that we have the ability for monitoring and the use of netfilter/iptables:

Access Point(AP) Linux:eth1 Linux:eth0 satellite modem

The AP will be allowed via MAC addresses only (ACL), so that we can keep a list of who belongs to what MAC; IP addresses will be DHCP-served by the AP. What we'd like to accomplish is some sort of record-keeping in order to protect ourselves in the event that someone uses the connection to visit a child-p*rn site or the like, and the FBI comes back on us, the responsible owner of the satellite connection.

We don't wish to snoop users' content, but only to maintain a concise record of which MAC address (and thus, $user) connects to a web site, and when. The AP allows "URL redirection" if needed or desired, as well as remote SNMP traps and syslog functionality.

Does a transparent proxy seem reasonable? Is "squid" the tool for this task? And is there a pre-defined filter of some sort that can be applied to preemptively avoid any known child-p*rn sites, whatever they may be? And how might we keep a record on the Linux box of what MAC connects to what URL and the time and duration of each connection? Does netfilter/iptables serve any purpose here, and if so, what syntax should be used?

Thanks for any suggestions and/or examples. Much of this is new to us, and we'd like to get it right the first time out.

Reply to
Patrick
Loading thread data ...

No - despite what the FhesPbageby sales guy says. But Dans Guardian might be a good start.

You should also think about skipping MAC addresses (which are easily changed) and establish an authenticated session on the proxy. Its still not perfect but a lot better than host based authentication. (hint: use the URL re-writer to only allow unmodified - but filtered - URLs from the user logged on from the IP address through - and do your logging in the re-writer).

Not sure about the integration with Dans Guardian, but the auth/log thing is maybe 100 lines of PHP/Perl/....

C.

Reply to
C.

...

formatting link
perfect, using squidguard and calamaris log analyzer.

Reply to
Patrick

Can the AP keep a log (syslog to the Linux system you described as acting as your router, perhaps?) of which MAC addresses it provided which IP addresses to at given times?

If the FBI comes back to you, they'll be asking about specific IP addresses. If you're also NATting, my proposal above isn't much help, I realize, but you haven't said anything about NAT.

You're going to be able to track which IP address accessed which sites (you could even setup your Linux gateway to provide that kind of logging, for example), but to associate that back to a MAC address will depend on your being able to keep a record of which IP addresses are assigned to which MAC addresses by the DHCP server.

Does anyone know of a tool that can generate NetFlow (compatible) data from a Linux gateway system? If so, that tool, with analysis from flow-tools would likely help ... Again, based on IP addresses, though, not MAC addresses ...

Reply to
Sylvain Robitaille
[comp.os.linux.security replaced w/ comp.unix.bsd.netbsd.misc]

The syslog records don't include the IP addresses that were DHCP-assigned by the AP, only the MAC which was "associated", and when. The AP is configured to _only_ allow DHCP-enabled wireless adapters, so as long as we get the name of the person who owns the MAC, then all else will follow nicely, it turns out.

Yes, we wil be NAT'ing, and that's the motivation behind the need for keeping strict records about usage.

It turns out that a nifty program called arpwatch will maintain a database of MAC/IP address pairs and the times when they first traversed the LAN, as well as email such notifications when they were modified, "bogon" or otherwise altered than when first established. We'll use that information to generate some custom log reports.

We're using NetBSD 3.1 i386 for the workhorse, and almost all components are up and running currently in test mode. The only remaining task is figure out the ruleset for ipf port forwarding on the wired interface connected to the AP so that we can enable transparent http/ftp proxying for squid on port

3128, and NAT on the interface connected to the satellite modem. Several examples have been found for iptables, and we're hoping to find a useful example for ipf, if anybody is willing to assist, please.
Reply to
Patrick

You are at a higher level than I understand, but this topic brings up related questions:

1) If you are using HughesNet, for example, with a non-static address, are you untraceable or not, on the web? Perhaps you have static IP and that's not relevant, but I'm curious if anybody could ever be traced in such a configurtion in the first place, and if by sharing internet you are held accountable in any case for all activities of everyone on your hotspot.

I don't see how hotspots could work if so. And being a temporary hotspot makes it even harder to believe that you would ever have a problem.

2) But that would be my second question: What's the legal exposure in the US for, say, a free coffee-shop hotspot? Are they responsible for providing records to the FBI for who visited what site 3:31 pm 3 months ago at their shop and what level of identification is one legally required to store for each user for what length of time?

Steve

Reply to
seaweedsteve

IMHO, authentication is the best option. MAC & IP addresses can be easily spoofed. But a user is always responible for keeping his username and password confidential. If he shares it with anybody, who misuses it, it is his funeral.

I would have used something like squid + dansguardian, or better still, SafeSquid, since it is a proxy with content filtering and also allows creation of users from its GUI interface. No point in setting up and configuring another user database for authentication, if this is going to be a temp session.

Then I would use url blacklist to block categories like p*rn and anonymous proxy, and to be double sure, I would use Keyword Filter to analyze the websites being visited for unwanted keywords for p*rn or anonymous proxies. This will narrow down the chances of users being able to visit such sites.

Next I would configure a log analyzer like Sarg or Sawmill to generate per user usage reports, so that I am ready with my reports, if the FBI arrives.

Reply to
sean

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.