[gentoo-user] Restricting Firefox website access

[gentoo-user] Restricting Firefox website access

[Grant]

I'd like to restrict the websites one of the computers on my network
can access in Firefox.  It only needs to access 2 different domain
names and I don't want it to be able to access any others.  I can
restrict it at the router if necessary because the router is a Gentoo
system.  Does anyone have suggestions on this?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Paul Hartman]

On Wed, Jan 7, 2009 at 3:44 PM, Grant <emailgrant@gmail.com> wrote:
> I'd like to restrict the websites one of the computers on my network
> can access in Firefox.  It only needs to access 2 different domain
> names and I don't want it to be able to access any others.  I can
> restrict it at the router if necessary because the router is a Gentoo
> system.  Does anyone have suggestions on this?

You could perhaps install a proxy on the local machine and set it up
only to allow access to whitelisted sites. There might be some kind of
kiosk-type firefox add-ons to disallow people from making changes to
the settings, etc.

Paul

Re: [gentoo-user] Restricting Firefox website access

[Kyle Bader]

You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.

-- 
kyle.bader@gmail.com

Re: [gentoo-user] Restricting Firefox website access

[Grant]

> You could use iptables to block all traffic headed to port 80 with
> exceptions for the domains you need.

Would that cause problems with fetching packages for emerges?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Alan McKinnon]

On Friday 09 January 2009 20:40:33 Grant wrote:
> > You could use iptables to block all traffic headed to port 80 with
> > exceptions for the domains you need.
>
> Would that cause problems with fetching packages for emerges?

If you wget your packages using http, then yes. You could then:

1. Put all your mirror sites in the exception list. This can get tedious as 
some ebuilds list many mirrors for sources

or

2. wget using ftp

or

3. set up a proxy

The easiest is #2 by far

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>> > You could use iptables to block all traffic headed to port 80 with
>> > exceptions for the domains you need.
>>
>> Would that cause problems with fetching packages for emerges?
>
> If you wget your packages using http, then yes. You could then:
>
> 1. Put all your mirror sites in the exception list. This can get tedious as
> some ebuilds list many mirrors for sources
>
> or
>
> 2. wget using ftp
>
> or
>
> 3. set up a proxy
>
> The easiest is #2 by far

Does portage use wget over http by default?  Can I change a setting to
make it use ftp?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Kyle Bader]

> Does portage use wget over http by default?  Can I change a setting to
> make it use ftp?

Use a ftp:// mirror ?

(correct me if I'm wrong)

-Kyle

Re: [gentoo-user] Restricting Firefox website access

[Nick Cunningham]

[-- Attachment #1: Type: text/plain, Size: 367 bytes --]

2009/1/9 Kyle Bader <kyle.bader@gmail.com>

> > Does portage use wget over http by default?  Can I change a setting to
> > make it use ftp?
>
> Use a ftp:// mirror ?
>
> (correct me if I'm wrong)
>
> -Kyle
>
>
While that would work for the basic gentoo mirrors, there are a number of
packages that point to sites like sourceforge that may cause you problems.

- Nick

[-- Attachment #2: Type: text/html, Size: 726 bytes --]

Re: [gentoo-user] Restricting Firefox website access

[Alan McKinnon]

On Friday 09 January 2009 21:32:15 Grant wrote:
> >> > You could use iptables to block all traffic headed to port 80 with
> >> > exceptions for the domains you need.
> >>
> >> Would that cause problems with fetching packages for emerges?
> >
> > If you wget your packages using http, then yes. You could then:
> >
> > 1. Put all your mirror sites in the exception list. This can get tedious
> > as some ebuilds list many mirrors for sources
> >
> > or
> >
> > 2. wget using ftp
> >
> > or
> >
> > 3. set up a proxy
> >
> > The easiest is #2 by far
>
> Does portage use wget over http by default?  Can I change a setting to
> make it use ftp?

Just give GENTOO_MIRRORS a usable ftp:// url in make.conf

There's nothing you can do about http URLs that might be in ebuilds. Those are 
hardcoded and emerge will tell wget to use those exact URLs 

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Restricting Firefox website access

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

On Fri, 9 Jan 2009 10:40:33 -0800
Grant <emailgrant@gmail.com> wrote:

> > You could use iptables to block all traffic headed to port 80 with
> > exceptions for the domains you need.
> 
> Would that cause problems with fetching packages for emerges?
> 
> - Grant
> 

Why not just put a limit to a traffic from/to a specific user
account(s) or groups, leaving root unrestricted?

Makes sense, since root would be able to lift any restriction, anyway ;)

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Restricting Firefox website access

[Peter Humphrey]

On Friday 09 January 2009 19:32:15 Grant wrote:

> Does portage use wget over http by default?  Can I change a setting to
> make it use ftp?

$ grep -i wget /etc/make.conf
FETCHCOMMAND="/usr/bin/wget --progress=bar:force -t 2 -T 30 --passive-ftp 
\${URI} -P \${DISTDIR}"

-- 
Rgds
Peter

Re: [gentoo-user] Restricting Firefox website access

[Matt Causey]

>>
>> 1. Put all your mirror sites in the exception list. This can get tedious as
>> some ebuilds list many mirrors for sources
>>
>> or
>>
>> 2. wget using ftp
>>
>> or
>>
>> 3. set up a proxy
>>
>> The easiest is #2 by far
>
> Does portage use wget over http by default?  Can I change a setting to
> make it use ftp?
>
> - Grant
>
>

I think you would do well to setup a squid proxy and block outbound
traffic for the affected machines.  We've had great success with squid
in our environment.  This gives you a tremendous amount of flexibility
on your access control, and it means you don't have to be concerned
about which transport methods are used when updating/installing.
Added bonus is that the squid caches your Gentoo download objects.

--
Matt

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>> > You could use iptables to block all traffic headed to port 80 with
>> > exceptions for the domains you need.
>>
>> Would that cause problems with fetching packages for emerges?
>>
>> - Grant
>>
>
> Why not just put a limit to a traffic from/to a specific user
> account(s) or groups, leaving root unrestricted?
>
> Makes sense, since root would be able to lift any restriction, anyway ;)

That sounds good, how can I do that?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>>> 1. Put all your mirror sites in the exception list. This can get tedious as
>>> some ebuilds list many mirrors for sources
>>>
>>> or
>>>
>>> 2. wget using ftp
>>>
>>> or
>>>
>>> 3. set up a proxy
>>>
>>> The easiest is #2 by far
>>
>> Does portage use wget over http by default?  Can I change a setting to
>> make it use ftp?
>>
>> - Grant
>>
>>
>
> I think you would do well to setup a squid proxy and block outbound
> traffic for the affected machines.  We've had great success with squid
> in our environment.  This gives you a tremendous amount of flexibility
> on your access control, and it means you don't have to be concerned
> about which transport methods are used when updating/installing.
> Added bonus is that the squid caches your Gentoo download objects.

Is that tough to set up?  I would think an iptables solution would be
easier, but maybe that won't work out.

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Matt Causey]

>>>
>>
>> I think you would do well to setup a squid proxy and block outbound
>> traffic for the affected machines.  We've had great success with squid
>> in our environment.  This gives you a tremendous amount of flexibility
>> on your access control, and it means you don't have to be concerned
>> about which transport methods are used when updating/installing.
>> Added bonus is that the squid caches your Gentoo download objects.
>
> Is that tough to set up?  I would think an iptables solution would be
> easier, but maybe that won't work out.
>

Well, you'll end up using iptables anyway right?  If you really want
to -force- folks to get out through a proxy, that is.  Since you
mention that the router is a gentoo box, should be an easy one.

Tough to setup Squid? Naw.  Of course, it's like most things, we don't
know much about your network or the scope of your requirements.  For
our use case, we needed the following:

-forced access through the proxy
-website URL blacklisting and custom redirection based on massive regex lists
--Automated notification on certain 'violations'
-user account login to the proxy before internet access
-username tied to all proxy logs
-'manager' access to log data via nifty graphs on a web server

So, ours took some time.  :)

Ya, I know these folks were uuber paranoid, and wanted the ability to
nab folks for what they felt like was inappropriate internet usage...
Anyway your situation sounds much simpler.  So simple in fact that
just a few tweaks to the default squid.conf can provide you with a
functional config.

There are heaps of doco out there on configuring Squid, so you should
have a look and see what you think.  You can easily get a little test
proxy going on a desktop or laptop to try it out.  :-)

Hope this helps!

--
Matt

Re: [gentoo-user] Restricting Firefox website access

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 879 bytes --]

On Sat, 10 Jan 2009 09:48:10 -0800
Grant <emailgrant@gmail.com> wrote:

> That sounds good, how can I do that?

iptables module "owner" handles that stuff, just "man iptables" if
you'll have any trouble.

 iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT

Alternatively, you can use numeric uid or match user group:

 iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT

As simple as that ;)

If blocking every possible user is too much trouble or you wish to
block just firefox, but not wget to http port for _all_ users (not the
same case as emerge from root) you can write a simple SUID wrapper for
firefox binary, which changes group to restricted one (but leaves uid
and home unchanged), then launches true firefox binary, to which only
that group has access.

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Restricting Firefox website access

[Grant]

> Grant <emailgrant@gmail.com> wrote:
>
>> That sounds good, how can I do that?
>
> iptables module "owner" handles that stuff, just "man iptables" if
> you'll have any trouble.
>
>  iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT
>
> Alternatively, you can use numeric uid or match user group:
>
>  iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT
>
> As simple as that ;)
>
> If blocking every possible user is too much trouble or you wish to
> block just firefox, but not wget to http port for _all_ users (not the
> same case as emerge from root) you can write a simple SUID wrapper for
> firefox binary, which changes group to restricted one (but leaves uid
> and home unchanged), then launches true firefox binary, to which only
> that group has access.
>
> --
> Mike Kazantsev // fraggod.net

Thanks Mike, that sounds like exactly what I should do.

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Mick]

[-- Attachment #1: Type: text/plain, Size: 595 bytes --]

On Sunday 11 January 2009, Mike Kazantsev wrote:

> If blocking every possible user is too much trouble or you wish to
> block just firefox, but not wget to http port for _all_ users (not the
> same case as emerge from root) you can write a simple SUID wrapper for
> firefox binary, which changes group to restricted one (but leaves uid
> and home unchanged), 

Is this like creating a symlink to the original FF binary which you have moved 
somewhere else?  Can you please explain?

> then launches true firefox binary, to which only 
> that group has access.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Restricting Firefox website access

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 3054 bytes --]

On Tue, 13 Jan 2009 19:33:14 +0000
Mick <michaelkintzios@gmail.com> wrote:

> On Sunday 11 January 2009, Mike Kazantsev wrote:
> 
> > If blocking every possible user is too much trouble or you wish to
> > block just firefox, but not wget to http port for _all_ users (not the
> > same case as emerge from root) you can write a simple SUID wrapper for
> > firefox binary, which changes group to restricted one (but leaves uid
> > and home unchanged), 
> 
> Is this like creating a symlink to the original FF binary which you have moved 
> somewhere else?  Can you please explain?
> 
> > then launches true firefox binary, to which only 
> > that group has access.


No, it's not.


Symlinks aren't made for that purpose, and should be treated just linke
the object they point to, without messing with anything on the way.
As a rule, symlink permissions should not be changed, and in most cases
it's not supported by OS anyway.

What I mean is a wrapper binary. It can be either a native binary file
(like C compiled into ELF) or a script with SUID interpreter (like suid
perl).

I haven't tried this trick with firefox myself, but I don't see why it
shouldn't work here.


For example:

--- ff_wrapper.c

int main(int argc, char **argv)
{
 /* Set group to 'ff-users' (gid = 400, for this example) */
 setegid(400);
 setgid(400);

 /* Drop root privileges */
 seteuid(getuid());

 /* Start real firefox */
 execv("/usr/bin/_firefox", argv);
}

--- ff_wrapper.c


You can compile it with 'gcc ff_wrapper.c -o ff_wrapper'.

Then do:

 mv /usr/bin/{,_}firefox \
 && chown root:nogroup /usr/bin/_firefox \
 && chmod 0750 /usr/bin/_firefox \
 && mv ff_wrapper /usr/bin/firefox \
 && chown root:root /usr/bin/firefox \
 && chmod 6555 /usr/bin/firefox


So firefox can only be launched directly by specific group (with gid=400
in this example, which should be created for this purpose), and the
wrapper ensures that when typing 'firefox' every user will be launching
it as a member of that group.
After that you can limit this group as you like.

Note that for all this to make sense, no user (firefox user, anyway)
should belong to the aforementioned group, or they'll be able to run
'/usr/bin/_firefox' directly, having effective gid that's written in
passwd (like 'someuser', usually the same as login name with linux).


It's a bit more complicated with the scripts (bash, for example),
because in that case it's an interpreter binary that gets launched
(i.e. /bin/bash, which then just reads the script), so the interpreter
should have suid flag, and that's a huge security gap, since every user
having access to it will be able to abuse root privileges.

There are, however, interpreters like perl, which, granted suid bit,
will shed all the privileges if the script they're trying to execute
doesn't have suid bit set on it, but even then there are whole lot of
things to check, so no one'll be able to abuse the script itself.


-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>> That sounds good, how can I do that?
>
> iptables module "owner" handles that stuff, just "man iptables" if
> you'll have any trouble.
>
>  iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT

I brought this to the shorewall list for config advice, but I was told:

a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
notion of domains. So filterinG by domain is a non-starter.

b) When referring to packet filters, filtering by user id (e.g., root)
can only be done for connections originating from the firewall. See "man
shoreall-rules" and read about the USER/GROUP column.

Here was my original request:

I'd like to restrict the websites one of the computers on my network
can access in Firefox.  It only needs to access 2 different domain
names and I don't want it to be able to access any others.  I can
restrict it at the router if necessary because the router is a Gentoo
system.

I think this leaves a squid proxy setup as my only option?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 1116 bytes --]

On Fri, 16 Jan 2009 21:34:59 -0800
Grant <emailgrant@gmail.com> wrote:

> I think this leaves a squid proxy setup as my only option?

Sorry, I haven't noticed the fact that there are machines behind the
firewall that need to be restricted, and aforementioned rule certainly
won't do that.

Squid setup should certainly be a solid solution to the problem.
It should also save quite a lot of traffic and speed up browsing via
common cache.

You can actually disable nat on the firewall if there are no specific
software requiments that can't work with http proxy, which are quite
rare, with the exception of games and p2p software.

And since you're using gentoo you can also pass rsync traffic through
a proxy. Rsync (as well as wget and lots of other tools) will use proxy
automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps,
lower- and uppercase) env var is set.
For squid to pass rsync traffic you'll need to specify rsync ports in
squid.conf, like this:

acl SSL_ports port 873          # rsync
acl Safe_ports port 873         # rsync

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Restricting Firefox website access

[Alan McKinnon]

On Saturday 17 January 2009 07:34:59 Grant wrote:
> >> That sounds good, how can I do that?
> >
> > iptables module "owner" handles that stuff, just "man iptables" if
> > you'll have any trouble.
> >
> >  iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
> > REJECT
>
> I brought this to the shorewall list for config advice, but I was told:
>
> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
> notion of domains. So filterinG by domain is a non-starter.
>
> b) When referring to packet filters, filtering by user id (e.g., root)
> can only be done for connections originating from the firewall. See "man
> shoreall-rules" and read about the USER/GROUP column.
>
> Here was my original request:
>
> I'd like to restrict the websites one of the computers on my network
> can access in Firefox.  It only needs to access 2 different domain
> names and I don't want it to be able to access any others.  I can
> restrict it at the router if necessary because the router is a Gentoo
> system.
>
> I think this leaves a squid proxy setup as my only option?

Restrict by source AND destination IP

This requires only that the computer in question has a static IP or a 
permanent lease (so you always know what it is), and you know the IP of the 
web sites to be accessed (dig is a very good friend). Allow these, deny 
everything else to destination port 80.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Restricting Firefox website access

[Peter Humphrey]

On Saturday 17 January 2009 06:30:45 Mike Kazantsev wrote:

> And since you're using gentoo you can also pass rsync traffic through
> a proxy. Rsync (as well as wget and lots of other tools) will use proxy
> automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps,
> lower- and uppercase) env var is set.
> For squid to pass rsync traffic you'll need to specify rsync ports in
> squid.conf, like this:
>
> acl SSL_ports port 873          # rsync
> acl Safe_ports port 873         # rsync

Another way, of course, is to run rsyncd on one machine on the network, and 
point the other machines to it for emerge --sync. This is getting a bit 
off-topic, though.

-- 
Rgds
Peter

Re: [gentoo-user] Restricting Firefox website access

[Stroller]

On 17 Jan 2009, at 05:34, Grant wrote:
> ...
> I brought this to the shorewall list for config advice, but I was  
> told:
>
> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
> notion of domains. So filterinG by domain is a non-starter.
> ...
>
> I'd like to restrict the websites one of the computers on my network
> can access in Firefox.  It only needs to access 2 different domain
> names and I don't want it to be able to access any others.

If it's a case of only 2 domains, then the chances are that dumb  
filtering will work ok.

If you allow packets from computer X with a destination port of 80  
only to computers with the IP address 12.154.191.10 then users of  
computer X will be able to access mylittlepony.com freely and also any  
hardcore porn sites also hosted on the same webserver (12.154.191.10).

I have to admit this is probably not the way I'd do it, but WHEN YOU  
WROTE IN ALL CAPITALS, I FELT COMPELLED TO REPLY TO YOU.

When I asked about content filtering a couple of months ago, everyone  
said Squid was rubbish.

Actually, they ignored me. From now on, I will write all my questions  
in BLOCK CAPITALS in order to maximise my responses.

But I had expected Squid + module to be the answer, and no-one  
mentioned it. A couple of clowns mentioned OpenDNS, and DansGuardian  
was the only serious reply I got, so you might want to look at that,  
too.
http://www.gossamer-threads.com/lists/gentoo/user/175114

I really should be implementing this internet filtering this weekend.

Cheers,

Stroller.

[gentoo-user] Re: Restricting Firefox website access

[Harry Putnam]

Stroller <stroller@stellar.eclipse.co.uk> writes:

> But I had expected Squid + module to be the answer, and no-one
> mentioned it. A couple of clowns mentioned OpenDNS, and DansGuardian
> was the only serious reply I got, so you might want to look at that,
> too.
> http://www.gossamer-threads.com/lists/gentoo/user/175114
>
> I really should be implementing this internet filtering this weekend.

Did privoxy go out of business... or just not suitable for the need?

I used to use it a few yrs ago but haven't had the need for quite a
while now.

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>> I brought this to the shorewall list for config advice, but I was told:
>>
>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>> notion of domains. So filterinG by domain is a non-starter.
>> ...
>>
>> I'd like to restrict the websites one of the computers on my network
>> can access in Firefox.  It only needs to access 2 different domain
>> names and I don't want it to be able to access any others.
>
> If it's a case of only 2 domains, then the chances are that dumb filtering
> will work ok.
>
> If you allow packets from computer X with a destination port of 80 only to
> computers with the IP address 12.154.191.10 then users of computer X will be
> able to access mylittlepony.com freely and also any hardcore porn sites also
> hosted on the same webserver (12.154.191.10).
>
> I have to admit this is probably not the way I'd do it, but WHEN YOU WROTE
> IN ALL CAPITALS, I FELT COMPELLED TO REPLY TO YOU.

I was quoting the other thread.  Guess I should have used [quote][/quote].

- Grant


> When I asked about content filtering a couple of months ago, everyone said
> Squid was rubbish.
>
> Actually, they ignored me. From now on, I will write all my questions in
> BLOCK CAPITALS in order to maximise my responses.
>
> But I had expected Squid + module to be the answer, and no-one mentioned it.
> A couple of clowns mentioned OpenDNS, and DansGuardian was the only serious
> reply I got, so you might want to look at that, too.
> http://www.gossamer-threads.com/lists/gentoo/user/175114
>
> I really should be implementing this internet filtering this weekend.
>
> Cheers,
>
> Stroller.

Re: [gentoo-user] Re: Restricting Firefox website access

[Grant]

>> But I had expected Squid + module to be the answer, and no-one
>> mentioned it. A couple of clowns mentioned OpenDNS, and DansGuardian
>> was the only serious reply I got, so you might want to look at that,
>> too.
>> http://www.gossamer-threads.com/lists/gentoo/user/175114
>>
>> I really should be implementing this internet filtering this weekend.
>
> Did privoxy go out of business... or just not suitable for the need?
>
> I used to use it a few yrs ago but haven't had the need for quite a
> while now.

What is the advantage of privoxy over squid?  Maybe simplicity?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>> >> That sounds good, how can I do that?
>> >
>> > iptables module "owner" handles that stuff, just "man iptables" if
>> > you'll have any trouble.
>> >
>> >  iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
>> > REJECT
>>
>> I brought this to the shorewall list for config advice, but I was told:
>>
>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>> notion of domains. So filterinG by domain is a non-starter.
>>
>> b) When referring to packet filters, filtering by user id (e.g., root)
>> can only be done for connections originating from the firewall. See "man
>> shoreall-rules" and read about the USER/GROUP column.
>>
>> Here was my original request:
>>
>> I'd like to restrict the websites one of the computers on my network
>> can access in Firefox.  It only needs to access 2 different domain
>> names and I don't want it to be able to access any others.  I can
>> restrict it at the router if necessary because the router is a Gentoo
>> system.
>>
>> I think this leaves a squid proxy setup as my only option?
>
> Restrict by source AND destination IP
>
> This requires only that the computer in question has a static IP or a
> permanent lease (so you always know what it is), and you know the IP of the
> web sites to be accessed (dig is a very good friend). Allow these, deny
> everything else to destination port 80.

That sounds good, but I won't be able to fetch all updates that
portage might want, right?

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Alan McKinnon]

On Saturday 17 January 2009 20:12:06 Grant wrote:

> > This requires only that the computer in question has a static IP or a
> > permanent lease (so you always know what it is), and you know the IP of
> > the web sites to be accessed (dig is a very good friend). Allow these,
> > deny everything else to destination port 80.
>
> That sounds good, but I won't be able to fetch all updates that
> portage might want, right?

There's always a wrinkle isn't there?

I find in real terms that my machines get all their updates from gentoo.org or 
from the gentoo mirror on the ftp server at work. That works for me, if those 
two mirrors both fail, I have problems that a change of GENTOO_MIRRORS will 
not solve. 

Perhaps the same is true of your environment. Failing that, I think you need 
to haul out the big guns, along with the big administration burden, and run 
an http proxy

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Restricting Firefox website access

[Grant]

>>> >> That sounds good, how can I do that?
>>> >
>>> > iptables module "owner" handles that stuff, just "man iptables" if
>>> > you'll have any trouble.
>>> >
>>> >  iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
>>> > REJECT
>>>
>>> I brought this to the shorewall list for config advice, but I was told:
>>>
>>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>>> notion of domains. So filterinG by domain is a non-starter.
>>>
>>> b) When referring to packet filters, filtering by user id (e.g., root)
>>> can only be done for connections originating from the firewall. See "man
>>> shoreall-rules" and read about the USER/GROUP column.
>>>
>>> Here was my original request:
>>>
>>> I'd like to restrict the websites one of the computers on my network
>>> can access in Firefox.  It only needs to access 2 different domain
>>> names and I don't want it to be able to access any others.  I can
>>> restrict it at the router if necessary because the router is a Gentoo
>>> system.
>>>
>>> I think this leaves a squid proxy setup as my only option?
>>
>> Restrict by source AND destination IP
>>
>> This requires only that the computer in question has a static IP or a
>> permanent lease (so you always know what it is), and you know the IP of the
>> web sites to be accessed (dig is a very good friend). Allow these, deny
>> everything else to destination port 80.
>
> That sounds good, but I won't be able to fetch all updates that
> portage might want, right?
>
> - Grant

But I could install a wide-open firewall on the system-to-restrict and
use that firewall to restrict website access instead of the router's
firewall.  That way I could consider the user (root, non-root) when
deciding whether or not to allow the 80/443 outbound connection since:

"When referring to packet filters, filtering by user id (e.g., root)
can only be done for connections originating from the firewall."

That should restrict website access and allow portage to do its thing.

- Grant

Re: [gentoo-user] Restricting Firefox website access

[Matt Harrison]

Alan McKinnon wrote:
> On Saturday 17 January 2009 20:12:06 Grant wrote:
> 
>>> This requires only that the computer in question has a static IP or a
>>> permanent lease (so you always know what it is), and you know the IP of
>>> the web sites to be accessed (dig is a very good friend). Allow these,
>>> deny everything else to destination port 80.
>> That sounds good, but I won't be able to fetch all updates that
>> portage might want, right?
> 
> There's always a wrinkle isn't there?
> 
> I find in real terms that my machines get all their updates from gentoo.org or 
> from the gentoo mirror on the ftp server at work. That works for me, if those 
> two mirrors both fail, I have problems that a change of GENTOO_MIRRORS will 
> not solve. 
> 
> Perhaps the same is true of your environment. Failing that, I think you need 
> to haul out the big guns, along with the big administration burden, and run 
> an http proxy
> 

I setup my squid proxy probably 5 years ago, I moved the config over 
when I switched to gentoo a couple of years ago, and it still works.

I would say I spend around 10 minutes a year performing admin tasks on 
my (home) squid server.

I just wanted to let it be said that squid doesn't have to be a big burden.

Matt

[gentoo-user] Re: Restricting Firefox website access

[Harry Putnam]

Grant <emailgrant@gmail.com> writes:

>>> But I had expected Squid + module to be the answer, and no-one
>>> mentioned it. A couple of clowns mentioned OpenDNS, and DansGuardian
>>> was the only serious reply I got, so you might want to look at that,
>>> too.
>>> http://www.gossamer-threads.com/lists/gentoo/user/175114
>>>
>>> I really should be implementing this internet filtering this weekend.
>>
>> Did privoxy go out of business... or just not suitable for the need?
>>
>> I used to use it a few yrs ago but haven't had the need for quite a
>> while now.
>
> What is the advantage of privoxy over squid?  Maybe simplicity?

Not sure there is one.  I ran privoxy through squid.  Privoxy talked
direct to squid.

Re: [gentoo-user] Restricting Firefox website access

[Matt Causey]

> When I asked about content filtering a couple of months ago, everyone said
> Squid was rubbish.
>

Squid is a solid product.  But it has the same benefit as most other
OSS products - flexibility. Flexibility means we can build a really
nifty self-healing scalable solutions - or we can make decisions that
cause pain.  /shrug Dunno.  YMMV

--
Matt