Fork me on GitHub
Webconverger wiki/ Network filtering options

Limiting users to your Website

No addressbar

The easiest way to limit users to your Website, in your customisation order please specify chrome=webcnoaddressbar. This modifies the User Interface to remove the URL addressbar, so that users can't navigate away from your homepage.

Simple filtering with the hosts= API

Using the hosts file is a very simple way of filtering Web access of your Webconverger deployments. It's by no means fool-proof, and you need to be able to create the file yourself for the time being on a public URL since we don't offer a configuration Web user-interface for it atm.

This feature was introduced in 839dde and if you are using the install version, you will automatically just get this.

Note the hosts file is only setup on boot, so if you change the hosts= file you need to reboot the machine for it to take affect of any modified rules.

WARNING: If the hosts file fails to retrieve, the machine can be left unprotected. We will make this feature more failsafe, i.e. if the hosts file fails to download, it will show a graphic to that affect and halt.

iptables API

From Webconverger 18 there is a simple iptables API.

Iptables man page

E.g. to block the IP 8.8.8.8

iptables=-I%20INPUT%20-s%208.8.8.8%20-j%20DROP

You can have multiple iptables= commands and they will be processed in order.

Blacklist

Specifying hosts=http://example.webconverger.com/blacklist will replace /etc/hosts with the black list http://example.webconverger.com/blacklist.

To attempt to blacklist for example reddit.com, you would typically add lines in this format:

255.255.255.255 reddit.com
255.255.255.255 www.reddit.com

Therefore the machine would be blacklisted to surf upon reddit.com, however's reddit's content might be available through other websites or subdomains so this method is not fool-proof. However for simple filtering, it may just suffice.

Whitelist

To setup a simple whitelist where only sites you specify can be accessed since the DNS service is disabled, your hosts= value must contain the word whitelist.

For example: hosts=http://example.webconverger.com/whitelist

http://example.webconverger.com/whitelist contains the sites you explicitly want to resolve/allow.

How to prevent users leaving public kiosks in a "bad state"

You will want to consider the kiosk reset options in order to reset Webconverger to your site every say, 3 minutes. This can help avoid an unsupervised Webconverger kiosk being set on a non-mandated Website for too long in public spaces.

Using a 3rd party DNS service for comprehensive filtering

OpenDNS provide a comprehensive filtering service. Case studies.

You can open an account with OpenDNS directly or go through Webconverger.com's sales who are resellers of the product. sales@webconverger.com can generally get a better deal for you per seat because we buy OpenDNS services in blocks.

This uses the dns= API

Further un-supported options

Using your router or wireless access point

As mentioned on http://webconverger.org/blog/entry/Better_Routing_wanted

3rd party firmware like dd-wrt provide options to limit WAN access under Access Restrictions to:

  • Website Blocking by URL Address
  • Website Blocking by Keyword

Webconverger and IPCop

IPCop is a lfs-based firewall which can easily be tweaked up to an url-filter.

Pros

  • Easy to implement (no cost)
  • Does not add any weight to Webconverger
  • Secures your whole network from the Internet
  • Very user-friendly and task-based GUI
  • Great community behind the project

Cons

  • An additional PC must be installed
  • Networkinterfaces must be separated physically
  • No multi-WAN connections
  • AddOns can only be installed by using a shell

Here are two links when you have questions about IPCop.