Replying to myself.
It looks like working well the idea to drop traffic
outgoing to the 3128 port for examination purposes
Regards
Giorgio
Here below the diff patch
********************************
--- old/debian-edu-update-netblock 2017-03-17 11:39:46.265624382 +0100
+++ new/debian-edu-update-netblock 2017-03-17 11:45:28.708776912 +0100
@@ -88,7 +88,9 @@
# cycles ... but don't overdo it ;)
for subnet in $localnet $privatenet $internalnet ; do
- echo "-A OUTPUT -d $subnet -j ACCEPT" >> $filterfile
+ # Add web proxy netblock before general ACCEPT on OUTPUT chain
+ echo "-A OUTPUT -d $subnet -p tcp --dport 3128 -j DROP" >> $filterfile
+ echo "-A OUTPUT -d $subnet -j ACCEPT" >> $filterfile
done
for user in $privilegedusers ; do
************************************
On Tue, Mar 14, 2017 at 02:49:49PM +0100, Giorgio Pioda wrote:
> Hi,
>
> in the past I usually used the NIS netblock group
> combined with a temporary switch off of the squid server
> to provide isolated machines for the practical
> IT examinations.
>
> But with the new firefox policy, switching off squid3
> results in a complete netblock for all the WS and RWS
> since the browser is not any more allowed to get
> direct access to the external network.
>
> Any idea to circumvent the problem? I can imagine
> that a modified client netblock script that blocks
> IP traffic on tjener:80 would be a better fix.
>
> Regards
>
> Giorgio
> --
> Giorgio Pioda - Sysadmin SPSE-Tenero
> Cell +41 79 629 20 63
> Tel +41 58 468 62 48
>
>
--
Giorgio Pioda - Sysadmin SPSE-Tenero
Cell +41 79 629 20 63
Tel +41 58 468 62 48
