Re: [gentoo-user] Restricting Firefox website access
When I asked about content filtering a couple of months ago, everyone said Squid was rubbish. Squid is a solid product. But it has the same benefit as most other OSS products - flexibility. Flexibility means we can build a really nifty self-healing scalable solutions - or we can make decisions that cause pain. /shrug Dunno. YMMV -- Matt
Re: [gentoo-user] Restricting Firefox website access
On Saturday 17 January 2009 07:34:59 Grant wrote: That sounds good, how can I do that? iptables module owner handles that stuff, just man iptables if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT I brought this to the shorewall list for config advice, but I was told: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. b) When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall. See man shoreall-rules and read about the USER/GROUP column. Here was my original request: I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. I can restrict it at the router if necessary because the router is a Gentoo system. I think this leaves a squid proxy setup as my only option? Restrict by source AND destination IP This requires only that the computer in question has a static IP or a permanent lease (so you always know what it is), and you know the IP of the web sites to be accessed (dig is a very good friend). Allow these, deny everything else to destination port 80. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Restricting Firefox website access
On Saturday 17 January 2009 06:30:45 Mike Kazantsev wrote: And since you're using gentoo you can also pass rsync traffic through a proxy. Rsync (as well as wget and lots of other tools) will use proxy automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps, lower- and uppercase) env var is set. For squid to pass rsync traffic you'll need to specify rsync ports in squid.conf, like this: acl SSL_ports port 873 # rsync acl Safe_ports port 873 # rsync Another way, of course, is to run rsyncd on one machine on the network, and point the other machines to it for emerge --sync. This is getting a bit off-topic, though. -- Rgds Peter
Re: [gentoo-user] Restricting Firefox website access
On 17 Jan 2009, at 05:34, Grant wrote: ... I brought this to the shorewall list for config advice, but I was told: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. ... I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. If it's a case of only 2 domains, then the chances are that dumb filtering will work ok. If you allow packets from computer X with a destination port of 80 only to computers with the IP address 12.154.191.10 then users of computer X will be able to access mylittlepony.com freely and also any hardcore porn sites also hosted on the same webserver (12.154.191.10). I have to admit this is probably not the way I'd do it, but WHEN YOU WROTE IN ALL CAPITALS, I FELT COMPELLED TO REPLY TO YOU. When I asked about content filtering a couple of months ago, everyone said Squid was rubbish. Actually, they ignored me. From now on, I will write all my questions in BLOCK CAPITALS in order to maximise my responses. But I had expected Squid + module to be the answer, and no-one mentioned it. A couple of clowns mentioned OpenDNS, and DansGuardian was the only serious reply I got, so you might want to look at that, too. http://www.gossamer-threads.com/lists/gentoo/user/175114 I really should be implementing this internet filtering this weekend. Cheers, Stroller.
Re: [gentoo-user] Restricting Firefox website access
I brought this to the shorewall list for config advice, but I was told: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. ... I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. If it's a case of only 2 domains, then the chances are that dumb filtering will work ok. If you allow packets from computer X with a destination port of 80 only to computers with the IP address 12.154.191.10 then users of computer X will be able to access mylittlepony.com freely and also any hardcore porn sites also hosted on the same webserver (12.154.191.10). I have to admit this is probably not the way I'd do it, but WHEN YOU WROTE IN ALL CAPITALS, I FELT COMPELLED TO REPLY TO YOU. I was quoting the other thread. Guess I should have used [quote][/quote]. - Grant When I asked about content filtering a couple of months ago, everyone said Squid was rubbish. Actually, they ignored me. From now on, I will write all my questions in BLOCK CAPITALS in order to maximise my responses. But I had expected Squid + module to be the answer, and no-one mentioned it. A couple of clowns mentioned OpenDNS, and DansGuardian was the only serious reply I got, so you might want to look at that, too. http://www.gossamer-threads.com/lists/gentoo/user/175114 I really should be implementing this internet filtering this weekend. Cheers, Stroller.
Re: [gentoo-user] Restricting Firefox website access
That sounds good, how can I do that? iptables module owner handles that stuff, just man iptables if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT I brought this to the shorewall list for config advice, but I was told: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. b) When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall. See man shoreall-rules and read about the USER/GROUP column. Here was my original request: I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. I can restrict it at the router if necessary because the router is a Gentoo system. I think this leaves a squid proxy setup as my only option? Restrict by source AND destination IP This requires only that the computer in question has a static IP or a permanent lease (so you always know what it is), and you know the IP of the web sites to be accessed (dig is a very good friend). Allow these, deny everything else to destination port 80. That sounds good, but I won't be able to fetch all updates that portage might want, right? - Grant
Re: [gentoo-user] Restricting Firefox website access
On Saturday 17 January 2009 20:12:06 Grant wrote: This requires only that the computer in question has a static IP or a permanent lease (so you always know what it is), and you know the IP of the web sites to be accessed (dig is a very good friend). Allow these, deny everything else to destination port 80. That sounds good, but I won't be able to fetch all updates that portage might want, right? There's always a wrinkle isn't there? I find in real terms that my machines get all their updates from gentoo.org or from the gentoo mirror on the ftp server at work. That works for me, if those two mirrors both fail, I have problems that a change of GENTOO_MIRRORS will not solve. Perhaps the same is true of your environment. Failing that, I think you need to haul out the big guns, along with the big administration burden, and run an http proxy -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Restricting Firefox website access
That sounds good, how can I do that? iptables module owner handles that stuff, just man iptables if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT I brought this to the shorewall list for config advice, but I was told: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. b) When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall. See man shoreall-rules and read about the USER/GROUP column. Here was my original request: I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. I can restrict it at the router if necessary because the router is a Gentoo system. I think this leaves a squid proxy setup as my only option? Restrict by source AND destination IP This requires only that the computer in question has a static IP or a permanent lease (so you always know what it is), and you know the IP of the web sites to be accessed (dig is a very good friend). Allow these, deny everything else to destination port 80. That sounds good, but I won't be able to fetch all updates that portage might want, right? - Grant But I could install a wide-open firewall on the system-to-restrict and use that firewall to restrict website access instead of the router's firewall. That way I could consider the user (root, non-root) when deciding whether or not to allow the 80/443 outbound connection since: When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall. That should restrict website access and allow portage to do its thing. - Grant
Re: [gentoo-user] Restricting Firefox website access
Alan McKinnon wrote: On Saturday 17 January 2009 20:12:06 Grant wrote: This requires only that the computer in question has a static IP or a permanent lease (so you always know what it is), and you know the IP of the web sites to be accessed (dig is a very good friend). Allow these, deny everything else to destination port 80. That sounds good, but I won't be able to fetch all updates that portage might want, right? There's always a wrinkle isn't there? I find in real terms that my machines get all their updates from gentoo.org or from the gentoo mirror on the ftp server at work. That works for me, if those two mirrors both fail, I have problems that a change of GENTOO_MIRRORS will not solve. Perhaps the same is true of your environment. Failing that, I think you need to haul out the big guns, along with the big administration burden, and run an http proxy I setup my squid proxy probably 5 years ago, I moved the config over when I switched to gentoo a couple of years ago, and it still works. I would say I spend around 10 minutes a year performing admin tasks on my (home) squid server. I just wanted to let it be said that squid doesn't have to be a big burden. Matt
Re: [gentoo-user] Restricting Firefox website access
That sounds good, how can I do that? iptables module owner handles that stuff, just man iptables if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT I brought this to the shorewall list for config advice, but I was told: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. b) When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall. See man shoreall-rules and read about the USER/GROUP column. Here was my original request: I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. I can restrict it at the router if necessary because the router is a Gentoo system. I think this leaves a squid proxy setup as my only option? - Grant
Re: [gentoo-user] Restricting Firefox website access
On Fri, 16 Jan 2009 21:34:59 -0800 Grant emailgr...@gmail.com wrote: I think this leaves a squid proxy setup as my only option? Sorry, I haven't noticed the fact that there are machines behind the firewall that need to be restricted, and aforementioned rule certainly won't do that. Squid setup should certainly be a solid solution to the problem. It should also save quite a lot of traffic and speed up browsing via common cache. You can actually disable nat on the firewall if there are no specific software requiments that can't work with http proxy, which are quite rare, with the exception of games and p2p software. And since you're using gentoo you can also pass rsync traffic through a proxy. Rsync (as well as wget and lots of other tools) will use proxy automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps, lower- and uppercase) env var is set. For squid to pass rsync traffic you'll need to specify rsync ports in squid.conf, like this: acl SSL_ports port 873 # rsync acl Safe_ports port 873 # rsync -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature
Re: [gentoo-user] Restricting Firefox website access
On Tue, 13 Jan 2009 19:33:14 +
Mick michaelkintz...@gmail.com wrote:
On Sunday 11 January 2009, Mike Kazantsev wrote:
If blocking every possible user is too much trouble or you wish to
block just firefox, but not wget to http port for _all_ users (not the
same case as emerge from root) you can write a simple SUID wrapper for
firefox binary, which changes group to restricted one (but leaves uid
and home unchanged),
Is this like creating a symlink to the original FF binary which you have
moved
somewhere else? Can you please explain?
then launches true firefox binary, to which only
that group has access.
No, it's not.
Symlinks aren't made for that purpose, and should be treated just linke
the object they point to, without messing with anything on the way.
As a rule, symlink permissions should not be changed, and in most cases
it's not supported by OS anyway.
What I mean is a wrapper binary. It can be either a native binary file
(like C compiled into ELF) or a script with SUID interpreter (like suid
perl).
I haven't tried this trick with firefox myself, but I don't see why it
shouldn't work here.
For example:
--- ff_wrapper.c
int main(int argc, char **argv)
{
/* Set group to 'ff-users' (gid = 400, for this example) */
setegid(400);
setgid(400);
/* Drop root privileges */
seteuid(getuid());
/* Start real firefox */
execv(/usr/bin/_firefox, argv);
}
--- ff_wrapper.c
You can compile it with 'gcc ff_wrapper.c -o ff_wrapper'.
Then do:
mv /usr/bin/{,_}firefox \
chown root:nogroup /usr/bin/_firefox \
chmod 0750 /usr/bin/_firefox \
mv ff_wrapper /usr/bin/firefox \
chown root:root /usr/bin/firefox \
chmod 6555 /usr/bin/firefox
So firefox can only be launched directly by specific group (with gid=400
in this example, which should be created for this purpose), and the
wrapper ensures that when typing 'firefox' every user will be launching
it as a member of that group.
After that you can limit this group as you like.
Note that for all this to make sense, no user (firefox user, anyway)
should belong to the aforementioned group, or they'll be able to run
'/usr/bin/_firefox' directly, having effective gid that's written in
passwd (like 'someuser', usually the same as login name with linux).
It's a bit more complicated with the scripts (bash, for example),
because in that case it's an interpreter binary that gets launched
(i.e. /bin/bash, which then just reads the script), so the interpreter
should have suid flag, and that's a huge security gap, since every user
having access to it will be able to abuse root privileges.
There are, however, interpreters like perl, which, granted suid bit,
will shed all the privileges if the script they're trying to execute
doesn't have suid bit set on it, but even then there are whole lot of
things to check, so no one'll be able to abuse the script itself.
--
Mike Kazantsev // fraggod.net
signature.asc
Description: PGP signature
Re: [gentoo-user] Restricting Firefox website access
On Sunday 11 January 2009, Mike Kazantsev wrote: If blocking every possible user is too much trouble or you wish to block just firefox, but not wget to http port for _all_ users (not the same case as emerge from root) you can write a simple SUID wrapper for firefox binary, which changes group to restricted one (but leaves uid and home unchanged), Is this like creating a symlink to the original FF binary which you have moved somewhere else? Can you please explain? then launches true firefox binary, to which only that group has access. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Restricting Firefox website access
On Friday 09 January 2009 19:32:15 Grant wrote:
Does portage use wget over http by default? Can I change a setting to
make it use ftp?
$ grep -i wget /etc/make.conf
FETCHCOMMAND=/usr/bin/wget --progress=bar:force -t 2 -T 30 --passive-ftp
\${URI} -P \${DISTDIR}
--
Rgds
Peter
Re: [gentoo-user] Restricting Firefox website access
1. Put all your mirror sites in the exception list. This can get tedious as some ebuilds list many mirrors for sources or 2. wget using ftp or 3. set up a proxy The easiest is #2 by far Does portage use wget over http by default? Can I change a setting to make it use ftp? - Grant I think you would do well to setup a squid proxy and block outbound traffic for the affected machines. We've had great success with squid in our environment. This gives you a tremendous amount of flexibility on your access control, and it means you don't have to be concerned about which transport methods are used when updating/installing. Added bonus is that the squid caches your Gentoo download objects. -- Matt
Re: [gentoo-user] Restricting Firefox website access
You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. Would that cause problems with fetching packages for emerges? - Grant Why not just put a limit to a traffic from/to a specific user account(s) or groups, leaving root unrestricted? Makes sense, since root would be able to lift any restriction, anyway ;) That sounds good, how can I do that? - Grant
Re: [gentoo-user] Restricting Firefox website access
1. Put all your mirror sites in the exception list. This can get tedious as some ebuilds list many mirrors for sources or 2. wget using ftp or 3. set up a proxy The easiest is #2 by far Does portage use wget over http by default? Can I change a setting to make it use ftp? - Grant I think you would do well to setup a squid proxy and block outbound traffic for the affected machines. We've had great success with squid in our environment. This gives you a tremendous amount of flexibility on your access control, and it means you don't have to be concerned about which transport methods are used when updating/installing. Added bonus is that the squid caches your Gentoo download objects. Is that tough to set up? I would think an iptables solution would be easier, but maybe that won't work out. - Grant
Re: [gentoo-user] Restricting Firefox website access
I think you would do well to setup a squid proxy and block outbound traffic for the affected machines. We've had great success with squid in our environment. This gives you a tremendous amount of flexibility on your access control, and it means you don't have to be concerned about which transport methods are used when updating/installing. Added bonus is that the squid caches your Gentoo download objects. Is that tough to set up? I would think an iptables solution would be easier, but maybe that won't work out. Well, you'll end up using iptables anyway right? If you really want to -force- folks to get out through a proxy, that is. Since you mention that the router is a gentoo box, should be an easy one. Tough to setup Squid? Naw. Of course, it's like most things, we don't know much about your network or the scope of your requirements. For our use case, we needed the following: -forced access through the proxy -website URL blacklisting and custom redirection based on massive regex lists --Automated notification on certain 'violations' -user account login to the proxy before internet access -username tied to all proxy logs -'manager' access to log data via nifty graphs on a web server So, ours took some time. :) Ya, I know these folks were uuber paranoid, and wanted the ability to nab folks for what they felt like was inappropriate internet usage... Anyway your situation sounds much simpler. So simple in fact that just a few tweaks to the default squid.conf can provide you with a functional config. There are heaps of doco out there on configuring Squid, so you should have a look and see what you think. You can easily get a little test proxy going on a desktop or laptop to try it out. :-) Hope this helps! -- Matt
Re: [gentoo-user] Restricting Firefox website access
On Sat, 10 Jan 2009 09:48:10 -0800 Grant emailgr...@gmail.com wrote: That sounds good, how can I do that? iptables module owner handles that stuff, just man iptables if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT Alternatively, you can use numeric uid or match user group: iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT As simple as that ;) If blocking every possible user is too much trouble or you wish to block just firefox, but not wget to http port for _all_ users (not the same case as emerge from root) you can write a simple SUID wrapper for firefox binary, which changes group to restricted one (but leaves uid and home unchanged), then launches true firefox binary, to which only that group has access. -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature
Re: [gentoo-user] Restricting Firefox website access
Grant emailgr...@gmail.com wrote: That sounds good, how can I do that? iptables module owner handles that stuff, just man iptables if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT Alternatively, you can use numeric uid or match user group: iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT As simple as that ;) If blocking every possible user is too much trouble or you wish to block just firefox, but not wget to http port for _all_ users (not the same case as emerge from root) you can write a simple SUID wrapper for firefox binary, which changes group to restricted one (but leaves uid and home unchanged), then launches true firefox binary, to which only that group has access. -- Mike Kazantsev // fraggod.net Thanks Mike, that sounds like exactly what I should do. - Grant
Re: [gentoo-user] Restricting Firefox website access
You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. Would that cause problems with fetching packages for emerges? - Grant
Re: [gentoo-user] Restricting Firefox website access
On Friday 09 January 2009 20:40:33 Grant wrote: You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. Would that cause problems with fetching packages for emerges? If you wget your packages using http, then yes. You could then: 1. Put all your mirror sites in the exception list. This can get tedious as some ebuilds list many mirrors for sources or 2. wget using ftp or 3. set up a proxy The easiest is #2 by far -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Restricting Firefox website access
You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. Would that cause problems with fetching packages for emerges? If you wget your packages using http, then yes. You could then: 1. Put all your mirror sites in the exception list. This can get tedious as some ebuilds list many mirrors for sources or 2. wget using ftp or 3. set up a proxy The easiest is #2 by far Does portage use wget over http by default? Can I change a setting to make it use ftp? - Grant
Re: [gentoo-user] Restricting Firefox website access
Does portage use wget over http by default? Can I change a setting to make it use ftp? Use a ftp:// mirror ? (correct me if I'm wrong) -Kyle
Re: [gentoo-user] Restricting Firefox website access
2009/1/9 Kyle Bader kyle.ba...@gmail.com Does portage use wget over http by default? Can I change a setting to make it use ftp? Use a ftp:// mirror ? (correct me if I'm wrong) -Kyle While that would work for the basic gentoo mirrors, there are a number of packages that point to sites like sourceforge that may cause you problems. - Nick
Re: [gentoo-user] Restricting Firefox website access
On Friday 09 January 2009 21:32:15 Grant wrote: You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. Would that cause problems with fetching packages for emerges? If you wget your packages using http, then yes. You could then: 1. Put all your mirror sites in the exception list. This can get tedious as some ebuilds list many mirrors for sources or 2. wget using ftp or 3. set up a proxy The easiest is #2 by far Does portage use wget over http by default? Can I change a setting to make it use ftp? Just give GENTOO_MIRRORS a usable ftp:// url in make.conf There's nothing you can do about http URLs that might be in ebuilds. Those are hardcoded and emerge will tell wget to use those exact URLs -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Restricting Firefox website access
On Fri, 9 Jan 2009 10:40:33 -0800 Grant emailgr...@gmail.com wrote: You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. Would that cause problems with fetching packages for emerges? - Grant Why not just put a limit to a traffic from/to a specific user account(s) or groups, leaving root unrestricted? Makes sense, since root would be able to lift any restriction, anyway ;) -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature
Re: [gentoo-user] Restricting Firefox website access
You could use iptables to block all traffic headed to port 80 with exceptions for the domains you need. -- kyle.ba...@gmail.com
Re: [gentoo-user] Restricting Firefox website access
On Wed, Jan 7, 2009 at 3:44 PM, Grant emailgr...@gmail.com wrote: I'd like to restrict the websites one of the computers on my network can access in Firefox. It only needs to access 2 different domain names and I don't want it to be able to access any others. I can restrict it at the router if necessary because the router is a Gentoo system. Does anyone have suggestions on this? You could perhaps install a proxy on the local machine and set it up only to allow access to whitelisted sites. There might be some kind of kiosk-type firefox add-ons to disallow people from making changes to the settings, etc. Paul
