Firefox configuration management

Eric "Shubes" plug at shubes.net
Mon Jan 22 08:22:55 MST 2007 

This option is part of an extended packet matching module. You need to load
such modules explicitly (in many cases). Try including "--match owner" just
before the --uid-owner argument. That should load the appropriate module.

George Toft wrote:
> Your assumption is correct - squid + DansGuardian
> 
> I need a little help.
> 
> I tried:
> iptables -A OUTPUT -p TCP --dport 80 --uid-owner cff -j REJECT
> and got this error:
> iptables v1.3.3: Unknown arg `--uid-owner'
> Try `iptables -h' or `iptables --help' for more information.
> 
> I also tried
> iptables -A OUTPUT -p TCP --dport 80 --uid-owner 1001 -j REJECT
> with the same error.
> 
> I looked in the man page, and it looks right to me:
>         --uid-owner userid
>                Matches if the packet was created by a process with the 
> given effective user id.
> 
> What did I mess up?
> 
> George Toft, CISSP, MSIS
> 623-203-1760
> 
> 
> 
> Joshua Zeidner wrote:
>> On 1/21/07, George Toft <george at georgetoft.com> wrote:
>>
>>> I need to set up a Linux workstation (Computers for Families project)
>>> that filters content.  The workstation is an edubuntu install.  Users
>>> have a generic login, separate from the admin, and the root account is
>>> locked.  I added Squid and DansGuardian, which works perfectly once the
>>> Firefox connection settings are set to 127.0.0.1:8080.  Problem is that
>>> any user can override this setting in their local profile.
>>>
>>> Is there an elegan way to prevent a user from changing this setting and
>>> surfing the sites of ill repute?
>>>
>>> Kluge/Hackjob method 1:
>>> I guess I could implement a cronjob that checks to see if firefox has
>>> any established port 80 connections, then kills it.  Pretty Draconian,
>>> but it will get the point across.  Make pref.js read-only for the user
>>> which restores the proxy settings.  Pretty inconvenient for the user :(
>>>
>>>
>>> Thoughts?
>>
>>    George,
>>
>>       I am assuming you are running Squid and DansGaurdian as a
>> different user than firefox(  if not you should change it ).  You
>> should set iptables to block all packets with destination other than
>> localhost:8080 from your browser user( use --uid-owner <firefoxuser>
>> switch ).  This will also stop them from using other applications to
>> contact internet services of ill repute.
>>
>>    -jmz
>>
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 


-- 
-Eric 'shubes'

More information about the PLUG-discuss mailing list