Firefox configuration management
George Toft
george at georgetoft.com
Mon Jan 22 20:13:46 MST 2007
Is it because of our interactions that you wanted to tell me to RTFM or
because of the interactions that you are being generous? Just kidding -
maybe I don't want to know the answer :)
The -m owner (or --match) worked like a champ.
Thank you Joshua and Eric for the gentle shove in the right direction.
George Toft, CISSP, MSIS
623-203-1760
Joshua Zeidner wrote:
> George,
>
> In most cases my response to this would be RTFM, but I have had some
> interactions with you in the past but I am feeling like a generous guy
> today and I have recently had some very helpful responses to my
> queries from other PLUG members.
>
> You can go with the configuration I suggest, but the idea David
> Demland proposes would probably work just as well.
>
> I suggest doing this:
>
> # this will allow firefox to contact your proxy through port 8080
> iptables -A OUTPUT -p TCP --dport 8080 127.1.1.1 -m owner -d
> --uid-owner cff -j ACCEPT
>
> # this will stop all other communications with potentially cretinous slobs
> iptables -A OUTPUT -p TCP -m owner --uid-owner cff -j DROP
>
> I havent debugged this, but this should work( or something very
> close ). Its been a while since I've worked directly with IPtables.
>
> best of luck, jmz
>
>
>
>
>
> iptables
>
>
>
> On 1/22/07, George Toft <george at georgetoft.com> wrote:
>
>>Your assumption is correct - squid + DansGuardian
>>
>>I need a little help.
>>
>>I tried:
>>iptables -A OUTPUT -p TCP --dport 80 --uid-owner cff -j REJECT
>>and got this error:
>>iptables v1.3.3: Unknown arg `--uid-owner'
>>Try `iptables -h' or `iptables --help' for more information.
>>
>>I also tried
>>iptables -A OUTPUT -p TCP --dport 80 --uid-owner 1001 -j REJECT
>>with the same error.
>>
>>I looked in the man page, and it looks right to me:
>> --uid-owner userid
>> Matches if the packet was created by a process with the
>>given effective user id.
>>
>>What did I mess up?
>>
>>George Toft, CISSP, MSIS
>>623-203-1760
>>
>>
>>
>>Joshua Zeidner wrote:
>>
>>>On 1/21/07, George Toft <george at georgetoft.com> wrote:
>>>
>>>
>>>>I need to set up a Linux workstation (Computers for Families project)
>>>>that filters content. The workstation is an edubuntu install. Users
>>>>have a generic login, separate from the admin, and the root account is
>>>>locked. I added Squid and DansGuardian, which works perfectly once the
>>>>Firefox connection settings are set to 127.0.0.1:8080. Problem is that
>>>>any user can override this setting in their local profile.
>>>>
>>>>Is there an elegan way to prevent a user from changing this setting and
>>>>surfing the sites of ill repute?
>>>>
>>>>Kluge/Hackjob method 1:
>>>>I guess I could implement a cronjob that checks to see if firefox has
>>>>any established port 80 connections, then kills it. Pretty Draconian,
>>>>but it will get the point across. Make pref.js read-only for the user
>>>>which restores the proxy settings. Pretty inconvenient for the user :(
>>>>
>>>>
>>>>Thoughts?
>>>
>>>
>>> George,
>>>
>>> I am assuming you are running Squid and DansGaurdian as a
>>>different user than firefox( if not you should change it ). You
>>>should set iptables to block all packets with destination other than
>>>localhost:8080 from your browser user( use --uid-owner <firefoxuser>
>>>switch ). This will also stop them from using other applications to
>>>contact internet services of ill repute.
>>>
>>> -jmz
>>>
>>>
>>
>>---------------------------------------------------
>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>To subscribe, unsubscribe, or to change you mail settings:
>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
More information about the PLUG-discuss
mailing list