[Ldsoss] Internet Filter

Kyle Mathews mathews.kyle at gmail.com
Thu Jan 4 16:16:53 EST 2007 

Another option is Smoothwall <http://www.smoothwall.org/>.  It is a complete
Linux firewall. Among the different packages it includes is DansGuardian.
You can download a VMware image to try it out from the "get" section.

Kyle Mathews

On 1/4/07, Shawn Willden <shawn-ldsoss at willden.org> wrote:
>
> On Wednesday 03 January 2007 19:26, Gary Thornock wrote:
> > The first thought that came to mind was to use transparent
> > proxy-style firewall rules, but then I wondered, given that the
> > browser and the proxy would be running on the same machine,
> > whether iptables could distinguish between an outbound request
> > from the proxy and an outbound request (on the same port) from a
> > browser.  I'm fairly sure I could get pf to do it, but I'm less
> > familiar with iptables.
>
> iptables can do it by looking at the uid of the process requesting the
> outbound connection.
>
> Another approach which is supported only in recent, non-SMP Linux kernels
> is
> matching on process command name.  It should be possible with that to
> transparently proxy every connection from FF (and any other specific
> browser), regardless of port.
>
> With a bit of coding, it could also be done very flexibly with userspace
> queuing.  An iptables rule would route everything to a netlink queue,
> where a
> userspace program could examine it.  If it should be transparently
> proxied,
> the netlink client would mark it and, finally, another iptables rule would
> implement the transparent proxying of marked packets.
>
> Those are all the ways I can think of.  Does pf have others?
>
> > The other option is to configure the browser such that it always
> > uses the proxy and the user can't disable it (probably using a
> > lockPref statement in /usr/lib/firefox/firefox.cfg).
>
> I think this is actually better than simply transparently proxying port 80
> anyway, since it prevents the user from using an anonymizing proxy on a
> different port that wouldn't have been transparently proxied.  I found a
> FF
> extension that makes doing that very easy, specifically to bypass web
> filtering.
>
>         Shawn.
> _______________________________________________
> Ldsoss mailing list
> Ldsoss at lists.ldsoss.org
> http://lists.ldsoss.org/mailman/listinfo/ldsoss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ldsoss.org/pipermail/ldsoss/attachments/20070104/9a88eb98/attachment.html

More information about the Ldsoss mailing list