From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LOGIq-0004IC-On for garchives@archives.gentoo.org; Sat, 17 Jan 2009 18:53:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9D6A9E02BF; Sat, 17 Jan 2009 18:53:16 +0000 (UTC) Received: from genesis.genestate.com (unknown [212.21.116.18]) by pigeon.gentoo.org (Postfix) with ESMTP id 573A4E02BF for ; Sat, 17 Jan 2009 18:53:16 +0000 (UTC) Received: from [10.194.217.12] (souris.genestate.com [10.194.217.12]) by genesis.genestate.com (Postfix) with ESMTP id 68F5661A20 for ; Sat, 17 Jan 2009 18:53:15 +0000 (GMT) Message-ID: <4972290C.2050501@genestate.com> Date: Sat, 17 Jan 2009 18:53:00 +0000 From: Matt Harrison User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Restricting Firefox website access References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com> <200901171047.05040.alan.mckinnon@gmail.com> <49bf44f10901171012u3a9f05c2i591de0e29cb251cc@mail.gmail.com> <200901172021.47900.alan.mckinnon@gmail.com> In-Reply-To: <200901172021.47900.alan.mckinnon@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: be8daed3-a055-408a-b25a-73d7a902a013 X-Archives-Hash: ab9da56427a96a2ae468449529cd0ddd Alan McKinnon wrote: > On Saturday 17 January 2009 20:12:06 Grant wrote: > >>> This requires only that the computer in question has a static IP or a >>> permanent lease (so you always know what it is), and you know the IP of >>> the web sites to be accessed (dig is a very good friend). Allow these, >>> deny everything else to destination port 80. >> That sounds good, but I won't be able to fetch all updates that >> portage might want, right? > > There's always a wrinkle isn't there? > > I find in real terms that my machines get all their updates from gentoo.org or > from the gentoo mirror on the ftp server at work. That works for me, if those > two mirrors both fail, I have problems that a change of GENTOO_MIRRORS will > not solve. > > Perhaps the same is true of your environment. Failing that, I think you need > to haul out the big guns, along with the big administration burden, and run > an http proxy > I setup my squid proxy probably 5 years ago, I moved the config over when I switched to gentoo a couple of years ago, and it still works. I would say I spend around 10 minutes a year performing admin tasks on my (home) squid server. I just wanted to let it be said that squid doesn't have to be a big burden. Matt