Providing a Whitelisted Wireless Hotspot?

Ploxis writes "I volunteer some of my day managing a small network (and a ragtag band of computers) for a local nonprofit. I have been asked to set up a second, open, independent wireless network on site that will provide cost-free broadband Internet access to patrons. The catch is that they want to provide access only to a select group of about 25 websites while disallowing everything else. No objectionable sites, no mundane but non-relevant sites such as online banking or YouTube, and no other activities such as P2P or IM. They only want HTTP and HTTPS activity from a set of whitelisted websites." For the rest of Ploxis's question and his intial thoughts on making this happen, read on below.

"They'd also like any non-whitelisted URL to be redirected to a 'splash page,' which would just be some HTML providing a list of allowed sites by category. I'd host this page internally on the network. Their primary concerns are liability for access of illegal/objectionable materials and conserving their bandwidth, while still providing access to specific relevant tools online. My initial thought was simply an open wireless router, a set of remarkably restrictive firewall rules, and an in-house server as a custom DNS ... but that's pretty shaky (i.e. anyone specifying their own DNS can still get at whatever they want). I assume they'll need a router with some pretty significant traffic management capabilities as well, but that's not something I've investigated before. Anyone's experiences, recommendations, case studies, or maps of similar networks would be greatly appreciated."

Re:Forget it

[halsver]

One of the requirements is that this is wireless. So he wants to cut out the random interlopers leeching his bandwidth.

Re:Forget it

[Qzukk]

If it's only 25 sites (and not going to turn into "hundreds") then why play whack-a-mole? Set the default to Deny, look up those 25 IP addresses, and allow only 80 and 443 to those sites. That gets you 90% of the way there (the remaining 10% being virtualhosts on the same IPs). The rest of the IPs can be rewritten to a local webserver, which either is dedicated to this purpose or uses namebased virtual hosts to have it's own website, then the "default" vhost being the message you're putting up.

Make a simple script to add and remove IPs from the list and reload the rules, write down instructions on "What to do if www.foo.com stops working" or "What to do if you want to add www.baz.com", and you're done.

There are probably dozens of ways to actually implement this. Most of them will involve either custom wireless router firmware, or the wireless router plugged into a "real" router.

Re:Forget it

[YrWrstNtmr]

Oh please. We don't know the context of this guys application, or what his non-profit does and who it applies to. Maybe he has a very valid reason.

Keep honest people honest, and only allow a small subset of sites.

Re:Forget it

[Skreems]

Why in god's name would you statically encode IP addresses when the DNS system is sitting right there to make sure you don't have to do that manual work? Besides, if they're including any reasonably sized site in that list, their DNS entries will resolve to a different IP address depending on the day of the week and the mood of their edge network provider, so it could be any of hundreds of IPs for a single address.

Re:Forget it

[amorsen]

Why in god's name would you statically encode IP addresses when the DNS system is sitting right there to make sure you don't have to do that manual work?

Because that's how firewalls work, in general. Some firewalls will helpfully resolve domain names into IP addresses, but there's no guarantee that the IP addresses that the firewall gets from DNS are the same the client gets, so that is a dead end too.

To do better you need to look into the actual HTTP session. If the poster had a firewall which could do that, he would most likely know, and therefore wouldn't ask the question in the first place.