Hello,
We have asked to install the Safe Exam Browser in Windows Labs, so as to limit the chances of cheating with google and Chatgpt during exams and quizzes. Seems to work very well for Windows.
But I wonder how people solve accessing internet and chatgpt on linux student’s labs? Do you use any s/w like SEB or any other methods?
Thank you
Maria
The simplest way to prevent access to the Internet is to unplug the network cable and/or change the wifi password at the router.
It doesn’t have to be any more complicated than that.
I am afraid but this is not possible, since the pcs are also nfs clients, for user’s home directory, users are authenticating with ldap/sssd etc…
change the wifi password at the router
The main point I see in that is the note that machines on local subnet can access other subnets only via router (aka “gateway”) that forwards traffic between subnets it is connected to. Therefore, it is possible to dictate on the router centrally (for the whole subnet) what traffic is allowed.
The “unplug cable” is “allow nothing”, but with firewall rules one can selectively allow some traffic.
Likewise, in a Linux machine it is possible to adjust firewall rules to deny unwanted traffic.
There are “input” and “output” rules. The former says what new connection other machines can open to this system and the latter where this machine can connect to.
The default input (in Rocky) allows incoming connections to sshd, cockpit, and dhcpv6-client.
The default output (in Rocky) allows opening connections to anywhere, with any protocol.
One could change the output rules to allow:
And deny everything else (particularly ssh and vpn protocols).
However, the package manager (dnf) connects online package repos with HTTPS. If those web servers do provide also “unwanted content”, then they cannot be used. Since there is already NFS, the NFS server could mirror Rocky repos and machines be configured to use only the
local mirror. Hence less need to reach any HTTP/HTTPS servers outside.
The setup is easier to manage, if all local (allowed) servers are in the local subnet(s) and you can deny at the edge router that is between the local subnet(s) and the outside.