Re: Firefox configuration management

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Joshua Zeidner
Date:  
To: Main PLUG discussion list
Subject: Re: Firefox configuration management
George,

In most cases my response to this would be RTFM, but I have had some
interactions with you in the past but I am feeling like a generous guy
today and I have recently had some very helpful responses to my
queries from other PLUG members.

You can go with the configuration I suggest, but the idea David
Demland proposes would probably work just as well.

I suggest doing this:

# this will allow firefox to contact your proxy through port 8080
iptables -A OUTPUT -p TCP --dport 8080 127.1.1.1 -m owner -d
--uid-owner cff -j ACCEPT

# this will stop all other communications with potentially cretinous slobs
iptables -A OUTPUT -p TCP -m owner --uid-owner cff -j DROP

I havent debugged this, but this should work( or something very
close ). Its been a while since I've worked directly with IPtables.

best of luck, jmz





iptables



On 1/22/07, George Toft <> wrote:
> Your assumption is correct - squid + DansGuardian
>
> I need a little help.
>
> I tried:
> iptables -A OUTPUT -p TCP --dport 80 --uid-owner cff -j REJECT
> and got this error:
> iptables v1.3.3: Unknown arg `--uid-owner'
> Try `iptables -h' or `iptables --help' for more information.
>
> I also tried
> iptables -A OUTPUT -p TCP --dport 80 --uid-owner 1001 -j REJECT
> with the same error.
>
> I looked in the man page, and it looks right to me:
>         --uid-owner userid
>                Matches if the packet was created by a process with the
> given effective user id.

>
> What did I mess up?
>
> George Toft, CISSP, MSIS
> 623-203-1760
>
>
>
> Joshua Zeidner wrote:
> > On 1/21/07, George Toft <> wrote:
> >
> >>I need to set up a Linux workstation (Computers for Families project)
> >>that filters content. The workstation is an edubuntu install. Users
> >>have a generic login, separate from the admin, and the root account is
> >>locked. I added Squid and DansGuardian, which works perfectly once the
> >>Firefox connection settings are set to 127.0.0.1:8080. Problem is that
> >>any user can override this setting in their local profile.
> >>
> >>Is there an elegan way to prevent a user from changing this setting and
> >>surfing the sites of ill repute?
> >>
> >>Kluge/Hackjob method 1:
> >>I guess I could implement a cronjob that checks to see if firefox has
> >>any established port 80 connections, then kills it. Pretty Draconian,
> >>but it will get the point across. Make pref.js read-only for the user
> >>which restores the proxy settings. Pretty inconvenient for the user :(
> >>
> >>
> >>Thoughts?
> >
> >
> >    George,

> >
> >       I am assuming you are running Squid and DansGaurdian as a
> > different user than firefox(  if not you should change it ).  You
> > should set iptables to block all packets with destination other than
> > localhost:8080 from your browser user( use --uid-owner <firefoxuser>
> > switch ).  This will also stop them from using other applications to
> > contact internet services of ill repute.

> >
> >    -jmz

> >
> >
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



--
.0000. communication.
.0001. development.
.0010. strategy.
.0100. appeal.

JOSHUA M. ZEIDNER
IT Consultant

++power; ++perspective; ++possibilities;
( 602 ) 490 8006

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss