Pluggers, I'm wondering if someone can help me understand what I need to do here. I'm not very savvy about firewall rules at all, so the Jack & Jill version of any direction you might offer would be appreciated.
I'm setting up a fairly standard DansGuardian arrangement, with DG listening on 8080 and Squid on 3128. It's a single-machine setup wherein we'll be browsing from the same box that DG and Squid are on. I've been following this tutorial: http://www.howtoforge.com/squid-proxy-server-on-ubuntu-9.04-server-with-dansguardian-clamav-and-wpad-proxy-auto-detection I'm on kubuntu 9.10 and am trying to use ufw for the firewall as described. I'm at the point where DG and Squid are both working fine--I can set my browser's proxy settings to use 8080 and (turn off my images to be sure and) type in a naughty url and see the DG "access denied" page. But I can't seem to get the firewall set up so that it allows a local browser to connect to 8080 but not 80 such that they could bypass the filter altogether. I've tried the ufw rules as suggested in the tutorial: sudo ufw default DENY sudo ufw ALLOW 8080 sudo ufw enable But as I understand it, that prevents only *incoming* requests on the non-8080 ports. You can still go *out* on 80 as usual. I've tried this in addition to the above: ufw deny out 80 But that blocked everything including the filtered traffic, I'm assuming because squid needs to go out on 80 an no longer can. I thought of port-forwarding outbound 80 to 8080, but it seems like that would just make a loop: web-browser to 80, 80 to DG on 8080, DG to squid, squid attempts outbound on 80, start all over again. Another issue of the same sort is squid listening on 3128: if DG needs to talk to squid on 3128, I don't think I can go around blocking 3128 to local requests, but if I don't, what's to keep a browser from using squid as its proxy and bypassing DG altogether? I realize the above lines from the tutorial are aimed at doing that, but since they deny ALL non-8080 incoming requests, why would DG be allowed to talk to 3128 when a browser couldn't? Okay, I just checked this last one, and something seems weird: even with the "default deny", I can go straight to 3128 as my browser proxy, and it lets me through just fine. I also tried the explicit "ufw deny 3128" as mentioned in the tutorial, and I can still go through 3128 as the browser proxy. These questions of mine may well reveal my ignorance of firewalls, and there may well be something obvious I'm just not clued in to. Can someone help me understand what's going on and what I need to do? Thanks, Brett /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
