veyon
diff --git a/‎addons/images/de/internet-access-control-configuration.png‎
172 KB b/‎addons/images/de/internet-access-control-configuration.png‎
172 KB
diff --git a/‎addons/images/internet-access-control-configuration.png‎
20.1 KB b/‎addons/images/internet-access-control-configuration.png‎
20.1 KB
diff --git a/‎addons/internet-access-control.rst‎
Lines changed: 42 additions & 3 deletions b/‎addons/internet-access-control.rst‎
Lines changed: 42 additions & 3 deletions
diff --git a/‎locale/de/LC_MESSAGES/addons.po‎
Lines changed: 187 additions & 10 deletions b/‎locale/de/LC_MESSAGES/addons.po‎
Lines changed: 187 additions & 10 deletions
@@ -16,11 +16,50 @@ First of all the Veyon Add-ons package needs to be installed. Make sure to downl
 
 After the installation has completed, you'll see some new configuration pages in the Veyon Configurator program. One of them is called :guilabel:`Internet access control` and allows to set up the add-on:
 
-.. image:: images/internet-access-control-configuration.png
-   :scale: 75 %
+.. figure:: images/internet-access-control-configuration.png
+   :class: image-drop-shadow
    :align: center
 
-In most cases you can leave the default settings and continue with deploying the add-on to the student computers. If you make changes to the configuration, remember to always deploy the updated configuration to the student computers, since all settings affect the way the Internet access is blocked client-side.
+   Internet Access Control configuration page
+
+In most cases you can leave the default settings and continue with deploying the add-on to the student computers.
+
+.. important:: If you make changes to the configuration, remember to always deploy the updated configuration to the student computers! Only the client-side settings affect the way the Internet access is blocked on the clients.
 
 Now you can start Veyon Master and can click the :guilabel:`Internet access` button to open the menu with the :guilabel:`Block Internet access` and :guilabel:`Unblock Internet access` items. After activating the :guilabel:`Block Internet access` item, the users on the selected computer(s) no longer should be able to open a website on the Internet. If they still are, please check the settings and possibly try another blocking mode or backend.
 
+Backends
+--------
+
+There are currently two backends providing different mechanisms to block the Internet access. Both backends are described in the following subsections.
+
+Block internet access via system firewall
++++++++++++++++++++++++++++++++++++++++++
+
+This is the standard backend that should preferably be used, as it offers the most flexibility and works most reliably. When this backend is used, the Veyon Service makes changes to the system firewall to block Internet access. There are platform-specific differences here:
+
+
+Windows
+    Veyon controls the integrated Windows firewall and makes temporary changes to its configuration. This means that the Windows firewall must be activated. In addition, changes to the configuration of the Windows firewall must not be prevented by group policies.
+
+Linux
+    Veyon works on the basis of *nftables* and calls the related command line tool ``nft``. This is used to temporarily add additional rules to block Internet access.
+
+For both operating systems, the backend configuration is identical. In general different modes are available. The mode selection depends on the network environment and the desired blocking behavior.
+
+Block all outbound traffic for TCP ports
+    This is the default mode and should work in most environments. In this mode the Veyon Service adds special rules to the firewall which block any traffic to the configured ports. Use this mode if blocking the TCP ports 80/443 and one or multiple custom ports (separated by space) is sufficient. To block all traffic use the second mode.
+
+Block all outbound traffic to non-local subnets
+    In this mode, all network traffic directed to networks outside the local subnets is blocked. On Windows, the Veyon service temporarily changes the configuration of all firewall profiles (domain, private, public) to “ Outbound connections that do not match a rule are blocked”. If :guilabel:`Exceptions` are configured, appropriate rules are added to allow access to these networks, hosts or ports. This can be used, for example, to preserve access to the intranet and other internally hosted platforms. External websites can also be defined as exceptions here under certain circumstances, but the addresses of all servers/CDNs from which the website loads resources must then also be specified.
+
+Block traffic to (e.g. proxy or DNS) servers
+    If the student computers access the Internet via a proxy server, you can select this option. A firewall rule is then added that simply blocks all traffic to the proxy address. Alternatively, access to certain DNS servers can also be blocked, although in most cases this leads to problems when accessing internal resources such as network drives etc.
+
+Enable preconfigured firewall rule
+    If the three modes above are not suitable for your network you can also configure an own custom rule in the Windows Firewall. This rule should be disabled by default. The Veyon Service will enable this rule while the Internet access is to be blocked. On Linux the Veyon Service calls ``nft`` to load the nftables rules from the file ``/etc/veyon/iac/firewall/rules.d/<RULENAME>``. You can define any nftables rules in this file.
+
+Block internet access by modifying routing table
+++++++++++++++++++++++++++++++++++++++++++++++++
+
+If the firewall backend cannot be used (e.g. if a 3rdparty firewall software is used instead of the Windows Firewall), you can use this backend as a fallback. It works in a very simple way by temporarily removing the default route from the routing table and/or adding a user-defined (possibly deliberately invalid) route to block Internet access. In any case, the settings should be made carefully so that access to the internal network continues to function properly. Especially in larger segmented networks, both options should be combined by removing the default route on the one hand and adding a route to the internal network on the other.
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Veyon 4.9.1\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-12-11 09:38+0100\n"
+"POT-Creation-Date: 2024-12-11 11:21+0100\n"
 "PO-Revision-Date: 2024-09-13 09:03+0000\n"
 "Last-Translator: Tobias Junghans, 2024\n"
 "Language-Team: German (https://app.transifex.com/veyon-solutions/teams/65452/de/)\n"
@@ -545,19 +545,25 @@ msgstr ""
 ":guilabel:`Internetzugriffskontrolle` und erlaubt es, das Add-on "
 "einzurichten:"
 
+msgid "Internet Access Control configuration page"
+msgstr "Konfigurationsseite der Internetzugriffssteuerung"
+
 msgid ""
 "In most cases you can leave the default settings and continue with deploying"
-" the add-on to the student computers. If you make changes to the "
-"configuration, remember to always deploy the updated configuration to the "
-"student computers, since all settings affect the way the Internet access is "
-"blocked client-side."
+" the add-on to the student computers."
 msgstr ""
 "In den meisten Fällen können Sie die Standardeinstellungen beibehalten und "
-"mit der Verteilung des Add-ons auf den Schülercomputern fortfahren. Wenn Sie"
-" Änderungen an der Konfiguration vornehmen, denken Sie daran, immer die "
-"aktualisierte Konfiguration auf den Schülercomputern bereitzustellen, da "
-"alle Einstellungen die Art und Weise beeinflussen, wie der Internetzugang "
-"clientseitig blockiert wird."
+"mit der Verteilung des Add-ons auf den Schülercomputern fortfahren."
+
+msgid ""
+"If you make changes to the configuration, remember to always deploy the "
+"updated configuration to the student computers! Only the client-side "
+"settings affect the way the Internet access is blocked on the clients."
+msgstr ""
+"Wenn Sie Änderungen an der Konfiguration vornehmen, denken Sie daran, dass "
+"Sie die aktualisierte Konfiguration immer auf die Schülercomputer übertragen"
+" müssen! Nur die clientseitigen Einstellungen wirken sich darauf aus, wie "
+"der Internetzugang auf den Clients blockiert wird."
 
 msgid ""
 "Now you can start Veyon Master and can click the :guilabel:`Internet access`"
@@ -578,6 +584,177 @@ msgstr ""
 "die Einstellungen und probieren Sie eventuell einen anderen "
 "Blockierungsmodus oder ein anderes Backend aus."
 
+msgid "Backends"
+msgstr "Backends"
+
+msgid ""
+"There are currently two backends providing different mechanisms to block the"
+" Internet access. Both backends are described in the following subsections."
+msgstr ""
+"Derzeit gibt es zwei Backends, die unterschiedliche Mechanismen zur Sperrung"
+" des Internetzugriffs bieten. Beide Backends werden in den folgenden "
+"Unterabschnitten beschrieben."
+
+msgid "Block internet access via system firewall"
+msgstr "Internetzugriff über Systemfirewall sperren"
+
+msgid ""
+"This is the standard backend that should preferably be used, as it offers "
+"the most flexibility and works most reliably. When this backend is used, the"
+" Veyon Service makes changes to the system firewall to block Internet "
+"access. There are platform-specific differences here:"
+msgstr ""
+"Dies ist das Standard-Backend, das bevorzugt verwendet werden sollte, da es "
+"die meiste Flexibilität bietet und am zuverlässigsten funktioniert. Wenn "
+"dieses Backend eingesetzt wird, nimmt der Veyon-Dienst zur Sperrung des "
+"Internetzugriffs Änderungen an der Systemfirewall vor. Hierbei gibt es "
+"plattformspezifische Unterschiede:"
+
+msgid "Windows"
+msgstr "Windows"
+
+msgid ""
+"Veyon controls the integrated Windows firewall and makes temporary changes "
+"to its configuration. This means that the Windows firewall must be "
+"activated. In addition, changes to the configuration of the Windows firewall"
+" must not be prevented by group policies."
+msgstr ""
+"Veyon steuert die integrierte Windows Firewall und nimmt temporäre "
+"Änderungen an deren Konfiguration vor. Dies bedeutet, dass die Windows "
+"Firewall zwingend aktiviert sein muss. Außerdem dürfen Änderungen an der "
+"Konfiguration der Windows Firewall nicht durch Gruppenrichtlinien "
+"unterbunden sein. "
+
+msgid "Linux"
+msgstr "Linux"
+
+msgid ""
+"Veyon works on the basis of *nftables* and calls the related command line "
+"tool ``nft``. This is used to temporarily add additional rules to block "
+"Internet access."
+msgstr ""
+"Veyon arbeitet auf der Grundlage von *nftables* und ruft das zugehörige "
+"Kommandozeilentool ``nft`` auf. Hierüber werden temporär zusätzliche Regeln "
+"hinzugefügt, um den Internetzugriff zu blockieren. "
+
+msgid ""
+"For both operating systems, the backend configuration is identical. In "
+"general different modes are available. The mode selection depends on the "
+"network environment and the desired blocking behavior."
+msgstr ""
+"Für beide Betriebssysteme ist die Backend-Konfiguration identisch. "
+"Grundsätzlich sind verschiedene Modi verfügbar. Die Auswahl des Modus hängt "
+"von der Netzwerkumgebung und dem gewünschten Blockierverhalten ab."
+
+msgid "Block all outbound traffic for TCP ports"
+msgstr "Allen ausgehenden Verkehr für TCP-Ports blockieren"
+
+msgid ""
+"This is the default mode and should work in most environments. In this mode "
+"the Veyon Service adds special rules to the firewall which block any traffic"
+" to the configured ports. Use this mode if blocking the TCP ports 80/443 and"
+" one or multiple custom ports (separated by space) is sufficient. To block "
+"all traffic use the second mode."
+msgstr ""
+"Dies ist der Standardmodus und sollte in den meisten Umgebungen "
+"funktionieren. In diesem Modus fügt der Veyon-Dienst der Firewall spezielle "
+"Regeln hinzu, die jeglichen Verkehr zu den konfigurierten Ports blockieren. "
+"Verwenden Sie diesen Modus, wenn das Blockieren der TCP-Ports 80/443 und "
+"eines oder mehrerer benutzerdefinierter Ports (durch Leerzeichen getrennt) "
+"ausreicht. Um den gesamten Datenverkehr zu blockieren, verwenden Sie den "
+"zweiten Modus."
+
+msgid "Block all outbound traffic to non-local subnets"
+msgstr "Allen ausgehenden Verkehr für nicht-lokale Subnetze blockieren"
+
+msgid ""
+"In this mode, all network traffic directed to networks outside the local "
+"subnets is blocked. On Windows, the Veyon service temporarily changes the "
+"configuration of all firewall profiles (domain, private, public) to “ "
+"Outbound connections that do not match a rule are blocked”. If "
+":guilabel:`Exceptions` are configured, appropriate rules are added to allow "
+"access to these networks, hosts or ports. This can be used, for example, to "
+"preserve access to the intranet and other internally hosted platforms. "
+"External websites can also be defined as exceptions here under certain "
+"circumstances, but the addresses of all servers/CDNs from which the website "
+"loads resources must then also be specified."
+msgstr ""
+"In diesem Modus wird der gesamte Netzwerkverkehr, der an Netzwerke außerhalb"
+" der lokalen Subnetze gerichtet ist, blockiert. Unter Windows ändert der "
+"Veyon Dienst temporär die Konfiguration aller Firewall-Profile (Domäne, "
+"privat, öffentlich) auf \"Ausgehende Verbindungen, für die es keine Regel "
+"gibt, werden blockiert\". Wenn :guilabel:`Ausnahmen` konfiguriert werden, "
+"werden entsprechende Regeln ergänzt, um den Zugriff auf diese Netzwerke, "
+"Hosts oder Ports zuzulassen. Dies kann genutzt werden, um z.B. den Zugriff "
+"auf das Intranet und andere intern gehostete Plattformen beizubehalten. Auch"
+" externe Websiten können hier u.U. als Ausnahmen definiert werden, "
+"allerdings müssen dann auch die Adressen sämtlicher Server/CDNs angegeben "
+"werden, von denen die Website Ressourcen nachlädt. "
+
+msgid "Block traffic to (e.g. proxy or DNS) servers"
+msgstr "Verkehr zu (z.B. Proxy- oder DNS-) Servern blockieren"
+
+msgid ""
+"If the student computers access the Internet via a proxy server, you can "
+"select this option. A firewall rule is then added that simply blocks all "
+"traffic to the proxy address. Alternatively, access to certain DNS servers "
+"can also be blocked, although in most cases this leads to problems when "
+"accessing internal resources such as network drives etc."
+msgstr ""
+"Wenn die Schülercomputer über einen Proxy-Server auf das Internet zugreifen,"
+" können Sie diese Option wählen. Es wird dann eine Firewall-Regel "
+"hinzugefügt, die einfach den gesamten Verkehr zur Proxy-Adresse blockiert. "
+"Alternativ kann auch der Zugriff auf bestimmte DNS-Server blockiert werden, "
+"was allerdings in den meisten Fällen zu Problemen beim Zugriff auf interne "
+"Ressourcen wie Netzlaufwerke usw. führt."
+
+msgid "Enable preconfigured firewall rule"
+msgstr "Vorkonfigurierte Firewall-Regel aktivieren"
+
+msgid ""
+"If the three modes above are not suitable for your network you can also "
+"configure an own custom rule in the Windows Firewall. This rule should be "
+"disabled by default. The Veyon Service will enable this rule while the "
+"Internet access is to be blocked. On Linux the Veyon Service calls ``nft`` "
+"to load the nftables rules from the file "
+"``/etc/veyon/iac/firewall/rules.d/<RULENAME>``. You can define any nftables "
+"rules in this file."
+msgstr ""
+"Wenn die drei oben genannten Modi für Ihr Netzwerk nicht geeignet sind, "
+"können Sie auch eine eigene benutzerdefinierte Regel in der Windows-Firewall"
+" konfigurieren. Diese Regel sollte standardmäßig deaktiviert sein. Der Veyon"
+" Service aktiviert diese Regel, wenn der Internetzugang blockiert werden "
+"soll. Unter Linux ruft der Veyon Service ``nft`` auf, um die nftables Regeln"
+" aus der Datei ``/etc/veyon/iac/firewall/rules.d/<RULENAME>`` zu laden. Sie "
+"können beliebige nftables-Regeln in dieser Datei definieren."
+
+msgid "Block internet access by modifying routing table"
+msgstr "Internetzugriff durch Modifizierung der Routingtabelle sperren"
+
+msgid ""
+"If the firewall backend cannot be used (e.g. if a 3rdparty firewall software"
+" is used instead of the Windows Firewall), you can use this backend as a "
+"fallback. It works in a very simple way by temporarily removing the default "
+"route from the routing table and/or adding a user-defined (possibly "
+"deliberately invalid) route to block Internet access. In any case, the "
+"settings should be made carefully so that access to the internal network "
+"continues to function properly. Especially in larger segmented networks, "
+"both options should be combined by removing the default route on the one "
+"hand and adding a route to the internal network on the other."
+msgstr ""
+"Wenn das Firewall-Backend nicht verwendet werden kann (z.B. wenn eine "
+"Firewall-Software eines Drittanbieters anstelle der Windows-Firewall "
+"verwendet wird), können Sie dieses Backend als Ausweichlösung verwenden. Es "
+"funktioniert auf sehr einfache Art und Weise, indem es zum Blockieren des "
+"Internetzugriffs temporär wahlweise die Standardroute aus der Routingtabelle"
+" entfernt und/oder eine benutzerdefinierte (unter Umständen gewollt "
+"ungültige) Route hinzufügt. In jedem Fall sollten die Einstellungen "
+"sorgfältig vorgenommen werden, so dass der Zugriff auf das interne Netzwerk "
+"weiterhin ordnungsgemäß funktioniert. Gerade in größeren segmentierten "
+"Netzwerk sollten beide Optionen kombiniert werden, indem einerseits die "
+"Standardroute entfernt wird, andererseits eine Route auf das interne "
+"Netzwerk hinzugefügt wird."
+
 msgid "Licensing"
 msgstr "Lizenzierung"