Hello I''m trying to setup tinyproxy and shorewall on a LEAF Bering
firewall. What I''d like to do is block all HTTP connections to the
internet on port 80 and 8080 and force users to use port 8888.
So in shorewall/rules I have
ACCEPT loc fw tcp 8888
DROP loc fw tcp 80,8080
The ACCEPT works fine but the DROP does not seem to work. If I don''t
specify a port in a web browser, I can still surf. Any clues as to what I can
try to figure it out?
Thanks in advance,
Minh
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Minh Duong wrote:> Hello I''m trying to setup tinyproxy and shorewall on a LEAF Bering > firewall. What I''d like to do is block all HTTP connections to the > internet on port 80 and 8080 and force users to use port 8888. > > So in shorewall/rules I have > > ACCEPT loc fw tcp 8888 > DROP loc fw tcp 80,8080 > > The ACCEPT works fine but the DROP does not seem to work. If I > don''t specify a port in a web browser, I can still surf. Any clues > as to what I can try to figure it out?The ''DROP'' rule needs to be from loc->net, not loc->fw. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
--- On Tue, 5/26/09, Tom Eastep <teastep@shorewall.net> wrote:> From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] Tinyproxy and shorewall setup > To: minh_duong@yahoo.com, "Shorewall Users" <shorewall-users@lists.sourceforge.net> > Date: Tuesday, May 26, 2009, 4:14 PM > Minh Duong wrote: > > Hello I''m trying to setup tinyproxy and shorewall on a > LEAF Bering > > firewall. What I''d like to do is block all HTTP > connections to the > > internet on port 80 and 8080 and force users to use > port 8888. > > > > So in shorewall/rules I have > > > > ACCEPT loc > fw tcp > 8888 > > DROP loc > fw tcp > 80,8080 > > > > The ACCEPT works fine but the DROP does not seem to > work. If I > > don''t specify a port in a web browser, I can still > surf. Any clues > > as to what I can try to figure it out? > > The ''DROP'' rule needs to be from loc->net, not > loc->fw. > > -Tom > -- > Tom Eastep \ When I die, I want > to go like my Grandfather who > Shoreline, \ died > peacefully in his sleep. Not screaming like > Washington, USA \ all of the > passengers in his car > http://shorewall.net > \________________________________________________ >Thanks, that fixed it. Does anyone here use tinyproxy? While the ACCEPT works, it doesn''t correctly handle the request. I didn''t fully check that out before I emailed yesterday. Does tinyproxy handle it or do I need to setup a forwarding? DNAT fw:8888 net tcp 80 Thanks, Minh ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Minh Duong wrote:> > > --- On Tue, 5/26/09, Tom Eastep <teastep@shorewall.net> wrote: > >> From: Tom Eastep <teastep@shorewall.net> Subject: Re: >> [Shorewall-users] Tinyproxy and shorewall setup To: >> minh_duong@yahoo.com, "Shorewall Users" >> <shorewall-users@lists.sourceforge.net> Date: Tuesday, May 26, >> 2009, 4:14 PM Minh Duong wrote: >>> Hello I''m trying to setup tinyproxy and shorewall on a >> LEAF Bering >>> firewall. What I''d like to do is block all HTTP >> connections to the >>> internet on port 80 and 8080 and force users to use >> port 8888. >>> So in shorewall/rules I have >>> >>> ACCEPT loc >> fw tcp 8888 >>> DROP loc >> fw tcp 80,8080 >>> The ACCEPT works fine but the DROP does not seem to >> work. If I >>> don''t specify a port in a web browser, I can still >> surf. Any clues >>> as to what I can try to figure it out? >> The ''DROP'' rule needs to be from loc->net, not loc->fw. >> >> -Tom -- Tom Eastep \ When I die, I want to go like my >> Grandfather who Shoreline, \ died peacefully in his sleep. >> Not screaming like Washington, USA \ all of the passengers in >> his car http://shorewall.net >> \________________________________________________ >> > > Thanks, that fixed it. > > Does anyone here use tinyproxy? While the ACCEPT works, it doesn''t > correctly handle the request. I didn''t fully check that out before I > emailed yesterday. Does tinyproxy handle it or do I need to setup a > forwarding? > > DNAT fw:8888 net tcp 80Think -- what does the proxy have to do when it gets a request from a local system? Answer: It has to establish a separate connection to the remote web site. That is a fw->net connection using tcp port 80 So you simply need: ACCEPT fw net tcp 80 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com