Stephen Gloor
2003-Apr-02 05:44 UTC
[Shorewall-users] Blocking access to the net but allowing squid
I thought I had this worked out. I wish to force users on my LAN to use a Squid server to access the Internet. I am using the Bering LEAF single disk firewall with a standard 2 interface shorewall configuration. I have modified the line in my policy file local net ACCEPT to local net REJECT and then put this line in the rules file ACCEPT 192.168.1.1 net www (obviously 192.168.1.1 is the squid server) I don''t think this is OK as it is not working. Can anyone suggest a better method? I was thinking maybe I could define a zone squid. Thanks
Tom Eastep
2003-Apr-02 06:38 UTC
[Shorewall-users] Blocking access to the net but allowing squid
On Wed, 2 Apr 2003, Stephen Gloor wrote:> I thought I had this worked out. I wish to force users on my LAN to use a > Squid server to access the Internet. > > I am using the Bering LEAF single disk firewall with a standard 2 > interface shorewall configuration. > > I have modified the line in my policy file > local net ACCEPT to > > local net REJECT > > and then put this line in the rules file > > ACCEPT 192.168.1.1 net www (obviously 192.168.1.1 is the squid server) > > I don''t think this is OK as it is not working. >It''s not even a valid rule -- I assume that what you really have is: ACCEPT loc:192.168.1.1 net tcp www> Can anyone suggest a better method? I was thinking maybe I could define a > zone squid. >I think that your problem is that the local network can''t resolve DNS names. You need to add: ACCEPT loc net udp domain ACCEPT loc net tcp domain -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Apr-02 07:00 UTC
[Shorewall-users] Blocking access to the net but allowing squid
On Wed, 2 Apr 2003, Tom Eastep wrote:> > I think that your problem is that the local network can''t resolve DNS > names. You need to add: > > ACCEPT loc net udp domain > ACCEPT loc net tcp domain >And you probably need to deal with https as well, depending on whether you are using Squid to forward HTTPS sessions to the net or allowing your local clients to access secure sites directly. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Apr-02 07:08 UTC
[Shorewall-users] Blocking access to the net but allowing squid
Another way to attack this problem is: Policy: loc net ACCEPT Rule: REJECT loc:!192.168.1.1 net tcp www Note the "!" before the address of the Squid server. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net