I tried doing this with shorewall, for my family''s LTSP setup, but had some problems because there is no fw2fw support. It''s now in my /etc/shorewall/start file. Just in case anyone''s interested... P.S. - Not a subscriber, so please copy any replies to me. ### Modify Shorewall to allow secure transparent proxying through #Dansguardian # Kids can''t access port 80 or the squid port, to avoid # short-circuiting DansGuardian iptables -I OUTPUT -p tcp --dport 80 -m owner --gid-owner kids -j DROP iptables -I OUTPUT -p tcp --dport 3128 -m owner --gid-owner kids -j DROP # Transparent proxying, with connects from squid just accepted without # natting iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080 # This is the old shorewall/rules stuff, which wasn''t able to do the # job. Transparent proxying through Dansguardian, only works for # connections from other than localhost because iptables can''t tell # Squid apart from original browser #REDIRECT loc 8080 tcp 80 # The kids are prevented from connecting directly to remote HTTP # servers. A dedicated iptables rule in "start" prevents connections # directly to Squid without DansGuardian in the way #REJECT fw net tcp 80 - - #- :kids
On Saturday 24 January 2004 11:17 pm, Ed Suominen wrote:> I tried doing this with shorewall, for my family''s LTSP setup, but had > some problems because there is no fw2fw support. It''s now in my > /etc/shorewall/start file. Just in case anyone''s interested... > > P.S. - Not a subscriber, so please copy any replies to me.And I will *not* implement any fw->fw filtering. For that, using an extension script such as Ed has done is fine. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sunday 25 January 2004 07:49 am, Tom Eastep wrote:> On Saturday 24 January 2004 11:17 pm, Ed Suominen wrote: > > I tried doing this with shorewall, for my family''s LTSP setup, but had > > some problems because there is no fw2fw support. It''s now in my > > /etc/shorewall/start file. Just in case anyone''s interested... > > > > P.S. - Not a subscriber, so please copy any replies to me. > > And I will *not* implement any fw->fw filtering. For that, using an > extension script such as Ed has done is fine.The more I think about this, the more I believe that Ed may have a good case for fw->fw filtering. I have always objected to fw->fw filtration on two grounds: a) It makes in incredibly easy for newbies to shoot themselves in the foot. b) Controlling what connections that the firewall can make to itself always seemed rather silly to me. Ed has given us a valid reason for controlling fw->fw connections. And hopefully, the use of Linux for the "family PC" will expand in the future. So that leaves my first objection. Maybe with large threatening warnings all over the place, we can control the damage that people will try to inflict upon themselves. I''ll add this to the 2.0 new feature list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sunday 25 January 2004 08:50 am, Tom Eastep wrote:> > Ed has given us a valid reason for controlling fw->fw connections. And > hopefully, the use of Linux for the "family PC" will expand in the future. > > So that leaves my first objection. Maybe with large threatening warnings > all over the place, we can control the damage that people will try to > inflict upon themselves. > > I''ll add this to the 2.0 new feature list. >Note though that what Ed is doing is more than just controlling fw->fw traffic: a) He is using the owner match extension in a REDIRECT rule. Shorewall only supports using that extension in a DROP, REJECT, ACCEPT or LOG rule. b) He is using the ACCEPT target in the nat table -- Shorewall never does that. So meeting Ed''s requirements requires more than just the ability to control fw->fw traffic. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi All, Is there a way to quickly refresh the accounting rules without messing with the firewall rules? My scenario is below: I''m using shorewall to manage a few hundred users. I''m using accounting to keep track of their usage. Throughout the day as users change IPs and new users come online I want to update the accounting rule. I''ve got scripts to do all this. I''d like to run the scripts every 10-20 minutes but the shorewall restart takes a while (adding all the firewall rules and addresses to the interfaces) and during the 10-20 seconds it takes to restart the firewall of course accepts no new connections. Thanks for any advice Jon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Booth wrote: | Throughout the day as users change IPs and new users come online I want to | update the accounting rule. I''ve got scripts to do all this. | I''d like to run the scripts every 10-20 minutes but the shorewall restart | takes a while (adding all the firewall rules and addresses to the | interfaces) and during the 10-20 seconds it takes to restart the firewall | of course accepts no new connections. There is currently no way to reload just the accounting rules. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLz+LO/MAbZfjDLIRAmUKAKCJgNeMcom4ROMQnqQ3G/9IpBV80gCeJM6u rd/rOPfwfKRX6iBbPq4ogso=pNWq -----END PGP SIGNATURE-----
Tom Eastep wrote on 27/08/2004 11:04:59:> Jon Booth wrote: > > | I''d like to run the scripts every 10-20 minutes but the shorewallrestart> | takes a while (adding all the firewall rules and addresses to the > | interfaces) [...] > > There is currently no way to reload just the accounting rules. >Jon, you could increase your lease time in the dhcpd server. may be this would work around that limitation... cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Fri, 27 Aug 2004, Eduardo Ferreira wrote:> Tom Eastep wrote on 27/08/2004 11:04:59: > > > Jon Booth wrote: > > > > | I''d like to run the scripts every 10-20 minutes but the shorewall > restart > > | takes a while (adding all the firewall rules and addresses to the > > | interfaces) [...] > > > > There is currently no way to reload just the accounting rules. > > > Jon, you could increase your lease time in the dhcpd server. may be this > would work around that limitation... > > cheers, > > ________________________ > Eduardo Ferreira > Icatu Holding S.A. > Supervisor de TI > (5521) 3804-8606Thanks guys, Thats a good suggestion Eduardo but unfortunately the addresses are not allocated by DHCP but by the users choice of filtering options (eg they may want to block users in their office from accessing the net without a proxy). When they change their options their IP changes, and they can change these options at any time. Thanks Jon