[Bug 458643] Review Request: dansguardian - Content filtering web proxy

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=458643





--- Comment #18 from Pavel Lisý <pavel.lisy at gmail.com>  2009-02-23 07:18:51 EDT ---
Do you think about making default firewall configuration? Similar settings are
made in Ubuntu CE but through firehol package.

This is what I use for my children's computers in combination with tinyproxy
(running under nobody user on 3128 port):

cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables-dansguardian-backup

sed \
-e '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/a\
\
# dansguargian settings\
# --- begin\
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 3128 -m owner ! --uid-owner nobody
-j DROP\
# --- end\
' \
-e '/^\*filter/i\
\
# tinyproxy settings\
# --- begin\
*nat\
:PREROUTING ACCEPT [0:0]\
:POSTROUTING ACCEPT [0:0]\
:OUTPUT ACCEPT [0:0]\
:in_trproxy.1 - [0:0]\
:out_trproxy.1 - [0:0]\
-A PREROUTING -p tcp -m tcp --sport 1000:65535 --dport 80 -j in_trproxy.1\
-A in_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\
-A OUTPUT -p tcp -m tcp --sport 32768:61000 --dport 80 -j out_trproxy.1\
-A out_trproxy.1 -m owner --uid-owner nobody -j RETURN\
-A out_trproxy.1 -m owner --uid-owner root -j RETURN\
-A out_trproxy.1 -d 127.0.0.1 -j RETURN\
-A out_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\
-A OUTPUT -j ACCEPT\
COMMIT\
# --- end\
' /etc/sysconfig/iptables-dansguardian-backup > /etc/sysconfig/iptables

This is useful when you want deny all http traffic outside except defined users
(nobody = tinyproxy user, root = yum update, ...)
You don't need make proxy setting in browser too.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.