From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LO4kn-0001Vh-6O for garchives@archives.gentoo.org; Sat, 17 Jan 2009 06:33:58 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 333B5E03B7; Sat, 17 Jan 2009 06:33:42 +0000 (UTC) Received: from mail.fraggod.net (unknown [91.191.238.58]) by pigeon.gentoo.org (Postfix) with ESMTP id A9032E03B7 for ; Sat, 17 Jan 2009 06:33:41 +0000 (UTC) Received: from coercion (coercion.fg_core [IPv6:2001:470:1f0b:11de::13]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.fraggod.net (Postfix) with ESMTPSA id F3A4A213D89 for ; Sat, 17 Jan 2009 11:33:37 +0500 (YEKT) Date: Sat, 17 Jan 2009 11:30:45 +0500 From: Mike Kazantsev To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Restricting Firefox website access Message-ID: <20090117113045.42c110ff@coercion> In-Reply-To: <49bf44f10901162134o79953e71y393c6a340c398dbe@mail.gmail.com> References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com> <58965d8a0901071354l76bea08o328361031ff58ac8@mail.gmail.com> <854dca5c0901081257u25c6dee0j7871901221592a95@mail.gmail.com> <49bf44f10901091040t6c1920c4kbd504920e256ac20@mail.gmail.com> <20090110101854.4ed996d1@fraggod.net> <49bf44f10901100948x5ad0087ag93feadefce0385ad@mail.gmail.com> <20090111070536.52dece68@coercion> <49bf44f10901162134o79953e71y393c6a340c398dbe@mail.gmail.com> X-Mailer: Claws Mail 3.7.0 (GTK+ 2.14.5; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/2SRF70KR7AX8yvKNEiGmrP+"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: 1bd17c14-9b9d-4abc-854a-7527f6b0afc7 X-Archives-Hash: b32ccdbc830d2d19d43829c0dcc4aef3 --Sig_/2SRF70KR7AX8yvKNEiGmrP+ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Fri, 16 Jan 2009 21:34:59 -0800 Grant wrote: > I think this leaves a squid proxy setup as my only option? Sorry, I haven't noticed the fact that there are machines behind the firewall that need to be restricted, and aforementioned rule certainly won't do that. Squid setup should certainly be a solid solution to the problem. It should also save quite a lot of traffic and speed up browsing via common cache. You can actually disable nat on the firewall if there are no specific software requiments that can't work with http proxy, which are quite rare, with the exception of games and p2p software. And since you're using gentoo you can also pass rsync traffic through a proxy. Rsync (as well as wget and lots of other tools) will use proxy automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps, lower- and uppercase) env var is set. For squid to pass rsync traffic you'll need to specify rsync ports in squid.conf, like this: acl SSL_ports port 873 # rsync acl Safe_ports port 873 # rsync --=20 Mike Kazantsev // fraggod.net --Sig_/2SRF70KR7AX8yvKNEiGmrP+ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklxexsACgkQASbOZpzyXnHGugCglsUSccxVaCfde/6aB8I/LPRA C28AoLWZLrG10OTyyhEP8lfNiGD3MAqP =TVuw -----END PGP SIGNATURE----- --Sig_/2SRF70KR7AX8yvKNEiGmrP+--