wireless MAC record-keeping for URLs

We've got a portable satellite Internet connection that we'd like to share
wirelessly at several remote events this summer. All Internet traffic passes
through a Linux box, so that we have the ability for monitoring and the use
of netfilter/iptables:

Access Point(AP) <-> Linux:eth1 <-> Linux:eth0 <-> satellite modem

The AP will be allowed via MAC addresses only (ACL), so that we can keep a
list of who belongs to what MAC; IP addresses will be DHCP-served by the AP.
What we'd like to accomplish is some sort of record-keeping in order to
protect ourselves in the event that someone uses the connection to visit a
child-porn site or the like, and the FBI comes back on us, the responsible
owner of the satellite connection.

We don't wish to snoop users' content, but only to maintain a concise record
of which MAC address (and thus, $user) connects to a web site, and when. The
AP allows "URL redirection" if needed or desired, as well as remote SNMP
traps and syslog functionality.

Does a transparent proxy seem reasonable? Is "squid" the tool for this task?
And is there a pre-defined filter of some sort that can be applied to
preemptively avoid any known child-porn sites, whatever they may be? And how
might we keep a record on the Linux box of what MAC connects to what URL and
the time and duration of each connection? Does netfilter/iptables serve any
purpose here, and if so, what syntax should be used?

Thanks for any suggestions and/or examples. Much of this is new to us, and
we'd like to get it right the first time out.

On 13 Jun, 16:59, "Patrick" <ptri.c...@statrerv.corn> wrote:
> We've got a portable satellite Internet connection that we'd like to share
> wirelessly at several remote events this summer.
<snip>
> The AP will be allowed via MAC addresses only (ACL), so that we can keep a
> list of who belongs to what MAC; IP addresses will be DHCP-served by the AP.
> What we'd like to accomplish is some sort of record-keeping in order to
> protect ourselves in the event that someone uses the connection to visit a
> child-porn site or the like, and the FBI comes back on us, the responsible
> owner of the satellite connection.
>
<snip>
> Does a transparent proxy seem reasonable? Is "squid" the tool for this task?
> And is there a pre-defined filter of some sort that can be applied to
> preemptively avoid any known child-porn sites, whatever they may be?

No - despite what the FhesPbageby sales guy says. But Dans Guardian
might be a good start.

You should also think about skipping MAC addresses (which are easily
changed) and establish an authenticated session on the proxy. Its
still not perfect but a lot better than host based authentication.
(hint: use the URL re-writer to only allow unmodified - but filtered -
URLs from the user logged on from the IP address through - and do your
logging in the re-writer).

Not sure about the integration with Dans Guardian, but the auth/log
thing is maybe 100 lines of PHP/Perl/....

C.

In news:(E-Mail Removed),
Patrick <ptri.c.k.@statrerv.corn> wrote:

> We've got a portable satellite Internet connection that we'd like to
> share wirelessly at several remote events this summer. All Internet
> traffic passes through a Linux box, so that we have the ability for
> monitoring and the use of netfilter/iptables:
....
> Does a transparent proxy seem reasonable? Is "squid" the tool for
> this task? And is there a pre-defined filter of some sort that can be
> applied to preemptively avoid any known child-porn sites, whatever
> they may be? And how might we keep a record on the Linux box of what
> MAC connects to what URL and the time and duration of each
> connection? Does netfilter/iptables serve any purpose here, and if
> so, what syntax should be used?

http://www.cyberciti.biz/tips/linux-...uid-howto.html
seems perfect, using squidguard and calamaris log analyzer.

Patrick wrote:

> The AP will be allowed via MAC addresses only (ACL), so that we can
> keep a list of who belongs to what MAC; IP addresses will be
> DHCP-served by the AP.

Can the AP keep a log (syslog to the Linux system you described as acting
as your router, perhaps?) of which MAC addresses it provided which IP
addresses to at given times?

> What we'd like to accomplish is some sort of record-keeping in order
> to protect ourselves in the event that someone uses the connection to
> visit a child-porn site or the like, and the FBI comes back on us, the
> responsible owner of the satellite connection.

If the FBI comes back to you, they'll be asking about specific IP
addresses. If you're also NATting, my proposal above isn't much help, I
realize, but you haven't said anything about NAT.

> We don't wish to snoop users' content, but only to maintain a concise
> record of which MAC address (and thus, $user) connects to a web site,
> and when.

You're going to be able to track which IP address accessed which sites
(you could even setup your Linux gateway to provide that kind of
logging, for example), but to associate that back to a MAC address will
depend on your being able to keep a record of which IP addresses are
assigned to which MAC addresses by the DHCP server.

> And how might we keep a record on the Linux box of what MAC connects
> to what URL and the time and duration of each connection? ...

Does anyone know of a tool that can generate NetFlow (compatible) data
from a Linux gateway system? If so, that tool, with analysis from
flow-tools would likely help ... Again, based on IP addresses, though,
not MAC addresses ...

--
----------------------------------------------------------------------
Sylvain Robitaille (E-Mail Removed)

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

In news:(E-Mail Removed),
Sylvain Robitaille <(E-Mail Removed)> wrote:

[comp.os.linux.security replaced w/ comp.unix.bsd.netbsd.misc]

>> The AP will be allowed via MAC addresses only (ACL), so that we can
>> keep a list of who belongs to what MAC; IP addresses will be
>> DHCP-served by the AP.
>
> Can the AP keep a log (syslog to the Linux system you described as
> acting as your router, perhaps?) of which MAC addresses it provided
> which IP addresses to at given times?

The syslog records don't include the IP addresses that were DHCP-assigned by
the AP, only the MAC which was "associated", and when. The AP is configured
to _only_ allow DHCP-enabled wireless adapters, so as long as we get the
name of the person who owns the MAC, then all else will follow nicely, it
turns out.

>> What we'd like to accomplish is some sort of record-keeping in order
>> to protect ourselves in the event that someone uses the connection to
>> visit a child-porn site or the like, and the FBI comes back on us,
>> the responsible owner of the satellite connection.
>
> If the FBI comes back to you, they'll be asking about specific IP
> addresses. If you're also NATting, my proposal above isn't much
> help, I realize, but you haven't said anything about NAT.

Yes, we wil be NAT'ing, and that's the motivation behind the need for
keeping strict records about usage.

>> We don't wish to snoop users' content, but only to maintain a concise
>> record of which MAC address (and thus, $user) connects to a web site,
>> and when.
>
> You're going to be able to track which IP address accessed which sites
> (you could even setup your Linux gateway to provide that kind of
> logging, for example), but to associate that back to a MAC address
> will depend on your being able to keep a record of which IP addresses
> are assigned to which MAC addresses by the DHCP server.

It turns out that a nifty program called arpwatch will maintain a database
of MAC/IP address pairs and the times when they first traversed the LAN, as
well as email such notifications when they were modified, "bogon" or
otherwise altered than when first established. We'll use that information to
generate some custom log reports.

We're using NetBSD 3.1 i386 for the workhorse, and almost all components are
up and running currently in test mode. The only remaining task is figure out
the ruleset for ipf port forwarding on the wired interface connected to the
AP so that we can enable transparent http/ftp proxying for squid on port
3128, and NAT on the interface connected to the satellite modem. Several
examples have been found for iptables, and we're hoping to find a useful
example for ipf, if anybody is willing to assist, please.

You are at a higher level than I understand, but this topic brings up
related questions:

1) If you are using HughesNet, for example, with a non-static address,
are you untraceable or not, on the web? Perhaps you have static IP
and that's not relevant, but I'm curious if anybody could ever be
traced in such a configurtion in the first place, and if by sharing
internet you are held accountable in any case for all activities of
everyone on your hotspot.

I don't see how hotspots could work if so. And being a temporary
hotspot makes it even harder to believe that you would ever have a
problem.

2) But that would be my second question: What's the legal exposure in
the US for, say, a free coffee-shop hotspot? Are they responsible for
providing records to the FBI for who visited what site 3:31 pm 3
months ago at their shop and what level of identification is one
legally required to store for each user for what length of time?


Steve

IMHO, authentication is the best option. MAC & IP addresses can be
easily spoofed. But a user is always responible for keeping his
username and password confidential. If he shares it with anybody, who
misuses it, it is his funeral.

I would have used something like squid + dansguardian, or better
still, SafeSquid, since it is a proxy with content filtering and also
allows creation of users from its GUI interface. No point in setting
up and configuring another user database for authentication, if this
is going to be a temp session.

Then I would use url blacklist to block categories like porn and
anonymous proxy, and to be double sure, I would use Keyword Filter to
analyze the websites being visited for unwanted keywords for porn or
anonymous proxies. This will narrow down the chances of users being
able to visit such sites.

Next I would configure a log analyzer like Sarg or Sawmill to generate
per user usage reports, so that I am ready with my reports, if the FBI
arrives.