Is it because of our interactions that you wanted to tell me to RTFM or because of the interactions that you are being generous? Just kidding - maybe I don't want to know the answer :) The -m owner (or --match) worked like a champ. Thank you Joshua and Eric for the gentle shove in the right direction. George Toft, CISSP, MSIS 623-203-1760 Joshua Zeidner wrote: > George, > > In most cases my response to this would be RTFM, but I have had some > interactions with you in the past but I am feeling like a generous guy > today and I have recently had some very helpful responses to my > queries from other PLUG members. > > You can go with the configuration I suggest, but the idea David > Demland proposes would probably work just as well. > > I suggest doing this: > > # this will allow firefox to contact your proxy through port 8080 > iptables -A OUTPUT -p TCP --dport 8080 127.1.1.1 -m owner -d > --uid-owner cff -j ACCEPT > > # this will stop all other communications with potentially cretinous slobs > iptables -A OUTPUT -p TCP -m owner --uid-owner cff -j DROP > > I havent debugged this, but this should work( or something very > close ). Its been a while since I've worked directly with IPtables. > > best of luck, jmz > > > > > > iptables > > > > On 1/22/07, George Toft wrote: > >>Your assumption is correct - squid + DansGuardian >> >>I need a little help. >> >>I tried: >>iptables -A OUTPUT -p TCP --dport 80 --uid-owner cff -j REJECT >>and got this error: >>iptables v1.3.3: Unknown arg `--uid-owner' >>Try `iptables -h' or `iptables --help' for more information. >> >>I also tried >>iptables -A OUTPUT -p TCP --dport 80 --uid-owner 1001 -j REJECT >>with the same error. >> >>I looked in the man page, and it looks right to me: >> --uid-owner userid >> Matches if the packet was created by a process with the >>given effective user id. >> >>What did I mess up? >> >>George Toft, CISSP, MSIS >>623-203-1760 >> >> >> >>Joshua Zeidner wrote: >> >>>On 1/21/07, George Toft wrote: >>> >>> >>>>I need to set up a Linux workstation (Computers for Families project) >>>>that filters content. The workstation is an edubuntu install. Users >>>>have a generic login, separate from the admin, and the root account is >>>>locked. I added Squid and DansGuardian, which works perfectly once the >>>>Firefox connection settings are set to 127.0.0.1:8080. Problem is that >>>>any user can override this setting in their local profile. >>>> >>>>Is there an elegan way to prevent a user from changing this setting and >>>>surfing the sites of ill repute? >>>> >>>>Kluge/Hackjob method 1: >>>>I guess I could implement a cronjob that checks to see if firefox has >>>>any established port 80 connections, then kills it. Pretty Draconian, >>>>but it will get the point across. Make pref.js read-only for the user >>>>which restores the proxy settings. Pretty inconvenient for the user :( >>>> >>>> >>>>Thoughts? >>> >>> >>> George, >>> >>> I am assuming you are running Squid and DansGaurdian as a >>>different user than firefox( if not you should change it ). You >>>should set iptables to block all packets with destination other than >>>localhost:8080 from your browser user( use --uid-owner >>>switch ). This will also stop them from using other applications to >>>contact internet services of ill repute. >>> >>> -jmz >>> >>> >> >>--------------------------------------------------- >>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>To subscribe, unsubscribe, or to change you mail settings: >>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss