> When I asked about content filtering a couple of months ago, everyone said
> Squid was rubbish.
>
Squid is a solid product. But it has the same benefit as most other
OSS products - flexibility. Flexibility means we can build a really
nifty self-healing scalable solutions - or we can make decisi
Alan McKinnon wrote:
On Saturday 17 January 2009 20:12:06 Grant wrote:
This requires only that the computer in question has a static IP or a
permanent lease (so you always know what it is), and you know the IP of
the web sites to be accessed (dig is a very good friend). Allow these,
deny everyt
>>> >> That sounds good, how can I do that?
>>> >
>>> > iptables module "owner" handles that stuff, just "man iptables" if
>>> > you'll have any trouble.
>>> >
>>> > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
>>> > REJECT
>>>
>>> I brought this to the shorewall list fo
On Saturday 17 January 2009 20:12:06 Grant wrote:
> > This requires only that the computer in question has a static IP or a
> > permanent lease (so you always know what it is), and you know the IP of
> > the web sites to be accessed (dig is a very good friend). Allow these,
> > deny everything els
>> >> That sounds good, how can I do that?
>> >
>> > iptables module "owner" handles that stuff, just "man iptables" if
>> > you'll have any trouble.
>> >
>> > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
>> > REJECT
>>
>> I brought this to the shorewall list for config
>> I brought this to the shorewall list for config advice, but I was told:
>>
>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>> notion of domains. So filterinG by domain is a non-starter.
>> ...
>>
>> I'd like to restrict the websites one of the computers on my network
>> can
On 17 Jan 2009, at 05:34, Grant wrote:
...
I brought this to the shorewall list for config advice, but I was
told:
a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
notion of domains. So filterinG by domain is a non-starter.
...
I'd like to restrict the websites one of the
On Saturday 17 January 2009 06:30:45 Mike Kazantsev wrote:
> And since you're using gentoo you can also pass rsync traffic through
> a proxy. Rsync (as well as wget and lots of other tools) will use proxy
> automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps,
> lower- and uppercase)
On Saturday 17 January 2009 07:34:59 Grant wrote:
> >> That sounds good, how can I do that?
> >
> > iptables module "owner" handles that stuff, just "man iptables" if
> > you'll have any trouble.
> >
> > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
> > REJECT
>
> I broug
On Fri, 16 Jan 2009 21:34:59 -0800
Grant wrote:
> I think this leaves a squid proxy setup as my only option?
Sorry, I haven't noticed the fact that there are machines behind the
firewall that need to be restricted, and aforementioned rule certainly
won't do that.
Squid setup should certainly be
>> That sounds good, how can I do that?
>
> iptables module "owner" handles that stuff, just "man iptables" if
> you'll have any trouble.
>
> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
> REJECT
I brought this to the shorewall list for config advice, but I was told:
On Tue, 13 Jan 2009 19:33:14 +
Mick wrote:
> On Sunday 11 January 2009, Mike Kazantsev wrote:
>
> > If blocking every possible user is too much trouble or you wish to
> > block just firefox, but not wget to http port for _all_ users (not the
> > same case as emerge from root) you can write a
On Sunday 11 January 2009, Mike Kazantsev wrote:
> If blocking every possible user is too much trouble or you wish to
> block just firefox, but not wget to http port for _all_ users (not the
> same case as emerge from root) you can write a simple SUID wrapper for
> firefox binary, which changes gr
> Grant wrote:
>
>> That sounds good, how can I do that?
>
> iptables module "owner" handles that stuff, just "man iptables" if
> you'll have any trouble.
>
> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
> REJECT
>
> Alternatively, you can use numeric uid or match user
On Sat, 10 Jan 2009 09:48:10 -0800
Grant wrote:
> That sounds good, how can I do that?
iptables module "owner" handles that stuff, just "man iptables" if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT
Alternatively, you can use numeric
>>>
>>
>> I think you would do well to setup a squid proxy and block outbound
>> traffic for the affected machines. We've had great success with squid
>> in our environment. This gives you a tremendous amount of flexibility
>> on your access control, and it means you don't have to be concerned
>>
>>> 1. Put all your mirror sites in the exception list. This can get tedious as
>>> some ebuilds list many mirrors for sources
>>>
>>> or
>>>
>>> 2. wget using ftp
>>>
>>> or
>>>
>>> 3. set up a proxy
>>>
>>> The easiest is #2 by far
>>
>> Does portage use wget over http by default? Can I change a
>> > You could use iptables to block all traffic headed to port 80 with
>> > exceptions for the domains you need.
>>
>> Would that cause problems with fetching packages for emerges?
>>
>> - Grant
>>
>
> Why not just put a limit to a traffic from/to a specific user
> account(s) or groups, leaving ro
>>
>> 1. Put all your mirror sites in the exception list. This can get tedious as
>> some ebuilds list many mirrors for sources
>>
>> or
>>
>> 2. wget using ftp
>>
>> or
>>
>> 3. set up a proxy
>>
>> The easiest is #2 by far
>
> Does portage use wget over http by default? Can I change a setting to
On Friday 09 January 2009 19:32:15 Grant wrote:
> Does portage use wget over http by default? Can I change a setting to
> make it use ftp?
$ grep -i wget /etc/make.conf
FETCHCOMMAND="/usr/bin/wget --progress=bar:force -t 2 -T 30 --passive-ftp
\${URI} -P \${DISTDIR}"
--
Rgds
Peter
On Fri, 9 Jan 2009 10:40:33 -0800
Grant wrote:
> > You could use iptables to block all traffic headed to port 80 with
> > exceptions for the domains you need.
>
> Would that cause problems with fetching packages for emerges?
>
> - Grant
>
Why not just put a limit to a traffic from/to a specif
On Friday 09 January 2009 21:32:15 Grant wrote:
> >> > You could use iptables to block all traffic headed to port 80 with
> >> > exceptions for the domains you need.
> >>
> >> Would that cause problems with fetching packages for emerges?
> >
> > If you wget your packages using http, then yes. You c
2009/1/9 Kyle Bader
> > Does portage use wget over http by default? Can I change a setting to
> > make it use ftp?
>
> Use a ftp:// mirror ?
>
> (correct me if I'm wrong)
>
> -Kyle
>
>
While that would work for the basic gentoo mirrors, there are a number of
packages that point to sites like sou
> Does portage use wget over http by default? Can I change a setting to
> make it use ftp?
Use a ftp:// mirror ?
(correct me if I'm wrong)
-Kyle
>> > You could use iptables to block all traffic headed to port 80 with
>> > exceptions for the domains you need.
>>
>> Would that cause problems with fetching packages for emerges?
>
> If you wget your packages using http, then yes. You could then:
>
> 1. Put all your mirror sites in the exception
On Friday 09 January 2009 20:40:33 Grant wrote:
> > You could use iptables to block all traffic headed to port 80 with
> > exceptions for the domains you need.
>
> Would that cause problems with fetching packages for emerges?
If you wget your packages using http, then yes. You could then:
1. Put
> You could use iptables to block all traffic headed to port 80 with
> exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
- Grant
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
--
kyle.ba...@gmail.com
On Wed, Jan 7, 2009 at 3:44 PM, Grant wrote:
> I'd like to restrict the websites one of the computers on my network
> can access in Firefox. It only needs to access 2 different domain
> names and I don't want it to be able to access any others. I can
> restrict it at the router if necessary beca
I'd like to restrict the websites one of the computers on my network
can access in Firefox. It only needs to access 2 different domain
names and I don't want it to be able to access any others. I can
restrict it at the router if necessary because the router is a Gentoo
system. Does anyone have s
30 matches
Mail list logo
