When I asked about content filtering a couple of months ago, everyone said
Squid was rubbish.
Squid is a solid product. But it has the same benefit as most other
OSS products - flexibility. Flexibility means we can build a really
nifty self-healing scalable solutions - or we can make
On Saturday 17 January 2009 07:34:59 Grant wrote:
That sounds good, how can I do that?
iptables module owner handles that stuff, just man iptables if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
I brought this to the
On Saturday 17 January 2009 06:30:45 Mike Kazantsev wrote:
And since you're using gentoo you can also pass rsync traffic through
a proxy. Rsync (as well as wget and lots of other tools) will use proxy
automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps,
lower- and uppercase) env
On 17 Jan 2009, at 05:34, Grant wrote:
...
I brought this to the shorewall list for config advice, but I was
told:
a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
notion of domains. So filterinG by domain is a non-starter.
...
I'd like to restrict the websites one of the
I brought this to the shorewall list for config advice, but I was told:
a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
notion of domains. So filterinG by domain is a non-starter.
...
I'd like to restrict the websites one of the computers on my network
can access in
That sounds good, how can I do that?
iptables module owner handles that stuff, just man iptables if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
I brought this to the shorewall list for config advice, but I was told:
a)
On Saturday 17 January 2009 20:12:06 Grant wrote:
This requires only that the computer in question has a static IP or a
permanent lease (so you always know what it is), and you know the IP of
the web sites to be accessed (dig is a very good friend). Allow these,
deny everything else to
That sounds good, how can I do that?
iptables module owner handles that stuff, just man iptables if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
I brought this to the shorewall list for config advice, but I was told:
a)
Alan McKinnon wrote:
On Saturday 17 January 2009 20:12:06 Grant wrote:
This requires only that the computer in question has a static IP or a
permanent lease (so you always know what it is), and you know the IP of
the web sites to be accessed (dig is a very good friend). Allow these,
deny
That sounds good, how can I do that?
iptables module owner handles that stuff, just man iptables if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
I brought this to the shorewall list for config advice, but I was told:
a) NO
On Fri, 16 Jan 2009 21:34:59 -0800
Grant emailgr...@gmail.com wrote:
I think this leaves a squid proxy setup as my only option?
Sorry, I haven't noticed the fact that there are machines behind the
firewall that need to be restricted, and aforementioned rule certainly
won't do that.
Squid setup
On Tue, 13 Jan 2009 19:33:14 +
Mick michaelkintz...@gmail.com wrote:
On Sunday 11 January 2009, Mike Kazantsev wrote:
If blocking every possible user is too much trouble or you wish to
block just firefox, but not wget to http port for _all_ users (not the
same case as emerge from
On Sunday 11 January 2009, Mike Kazantsev wrote:
If blocking every possible user is too much trouble or you wish to
block just firefox, but not wget to http port for _all_ users (not the
same case as emerge from root) you can write a simple SUID wrapper for
firefox binary, which changes group
On Friday 09 January 2009 19:32:15 Grant wrote:
Does portage use wget over http by default? Can I change a setting to
make it use ftp?
$ grep -i wget /etc/make.conf
FETCHCOMMAND=/usr/bin/wget --progress=bar:force -t 2 -T 30 --passive-ftp
\${URI} -P \${DISTDIR}
--
Rgds
Peter
1. Put all your mirror sites in the exception list. This can get tedious as
some ebuilds list many mirrors for sources
or
2. wget using ftp
or
3. set up a proxy
The easiest is #2 by far
Does portage use wget over http by default? Can I change a setting to
make it use ftp?
-
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
- Grant
Why not just put a limit to a traffic from/to a specific user
account(s) or groups, leaving root unrestricted?
1. Put all your mirror sites in the exception list. This can get tedious as
some ebuilds list many mirrors for sources
or
2. wget using ftp
or
3. set up a proxy
The easiest is #2 by far
Does portage use wget over http by default? Can I change a setting to
make it use ftp?
- Grant
I think you would do well to setup a squid proxy and block outbound
traffic for the affected machines. We've had great success with squid
in our environment. This gives you a tremendous amount of flexibility
on your access control, and it means you don't have to be concerned
about which
On Sat, 10 Jan 2009 09:48:10 -0800
Grant emailgr...@gmail.com wrote:
That sounds good, how can I do that?
iptables module owner handles that stuff, just man iptables if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT
Alternatively, you
Grant emailgr...@gmail.com wrote:
That sounds good, how can I do that?
iptables module owner handles that stuff, just man iptables if
you'll have any trouble.
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
Alternatively, you can use numeric uid or match
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
- Grant
On Friday 09 January 2009 20:40:33 Grant wrote:
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
If you wget your packages using http, then yes. You could then:
1. Put all
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
If you wget your packages using http, then yes. You could then:
1. Put all your mirror sites in the exception list. This
Does portage use wget over http by default? Can I change a setting to
make it use ftp?
Use a ftp:// mirror ?
(correct me if I'm wrong)
-Kyle
2009/1/9 Kyle Bader kyle.ba...@gmail.com
Does portage use wget over http by default? Can I change a setting to
make it use ftp?
Use a ftp:// mirror ?
(correct me if I'm wrong)
-Kyle
While that would work for the basic gentoo mirrors, there are a number of
packages that point to sites
On Friday 09 January 2009 21:32:15 Grant wrote:
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
If you wget your packages using http, then yes. You could then:
1.
On Fri, 9 Jan 2009 10:40:33 -0800
Grant emailgr...@gmail.com wrote:
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
Would that cause problems with fetching packages for emerges?
- Grant
Why not just put a limit to a traffic
You could use iptables to block all traffic headed to port 80 with
exceptions for the domains you need.
--
kyle.ba...@gmail.com
I'd like to restrict the websites one of the computers on my network
can access in Firefox. It only needs to access 2 different domain
names and I don't want it to be able to access any others. I can
restrict it at the router if necessary because the router is a Gentoo
system. Does anyone have
On Wed, Jan 7, 2009 at 3:44 PM, Grant emailgr...@gmail.com wrote:
I'd like to restrict the websites one of the computers on my network
can access in Firefox. It only needs to access 2 different domain
names and I don't want it to be able to access any others. I can
restrict it at the router
30 matches
Mail list logo