Hi all, don''t know where to direct this post specifically, so thought I''d start here and if need be someone can redirect me to a more appropriate formum. We have installed and configured Ubuntu Server 6.04. (There is an issue with 7.04 and the scsi card in the server we are using) We installed and configured Shorewall firewall (current as of 29/8/07, installed by "apt-get install shorewall", so I suspect it is 4.X)and Dansguardian with these instructions from this link: http://www.branchdistrictlibrary.org/professional/ubuntu_and_dansguardia n_page_3.php With a little bit of extra configuring due to differences in squid versions, we got things running nicely and now the kids at the school we are doing this for are protected from inappropriate material and attacks. The problem at the moment is that you can go to a web site and that''s fine. But if you try to log onto any website, the browser will just sit there (after entering the username and password and pressing enter) and eventually (10 min or more) complain it can''t find the server. I suspect that it is a port issue. If you have a look through the instruction from the link I have mentioned, then you''ll see that port 443 for https is opened up for use to the net. Do logon pages use another port? If we redirect the browsers to the old proxy, the logon pages are instant, so I''m sure it''s a config issue either in shorewall or Ubuntu. Thanks in advance, Mike B ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Tue, Oct 16, 2007 at 03:18:46PM +0800, Michael Boughton wrote:> > We have installed and configured Ubuntu Server 6.04. (There is an issue > with 7.04 and the scsi card in the server we are using) We installed and > configured Shorewall firewall (current as of 29/8/07, installed by > "apt-get install shorewall", so I suspect it is 4.X)and Dansguardian > with these instructions from this link: >Well, AFAIK, based on looking at Ubuntu''s website, there was 6.04 release, only a 6.06 release called Dapper Drake. Further, their packages page [0] shows the following: * dapper (net): Shoreline Firewall (Shorewall) 3.0.4-1: all * edgy (net): Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter 3.0.7-1: all * feisty (net): Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter 3.2.6-2: all * gutsy (net): Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter 3.4.4-1: all So, if you really are running 6.06, then you are running a version of shorewall that is completely ancient.> > http://www.branchdistrictlibrary.org/professional/ubuntu_and_dansguardian_page_3.php > > > With a little bit of extra configuring due to differences in squid > versions, we got things running nicely and now the kids at the school we > are doing this for are protected from inappropriate material and > attacks.Now, this is just a philosophical point (and I say this as someone who does network support for my church and their Christian school), they are not really protected. Or they are actually not totally protected. Make sure that the people in charge of this group or organiztion understand that nothing is perfect and that stuff can still sneak by.> The problem at the moment is that you can go to a web site and > that''s fine. But if you try to log onto any website, the browser will > just sit there (after entering the username and password and pressing > enter) and eventually (10 min or more) complain it can''t find the > server. I suspect that it is a port issue. If you have a look through > the instruction from the link I have mentioned, then you''ll see that > port 443 for https is opened up for use to the net. Do logon pages use > another port? If we redirect the browsers to the old proxy, the logon > pages are instant, so I''m sure it''s a config issue either in shorewall > or Ubuntu. >It depends. If the login page for a website uses port 443, then you *must* excplicitly set your Dan''s Guardian machine as a proxy for https. The reason is that https cannot be transparently proxied like regular web traffic. That just a guess, but based on your description of the problem, it is where I would start looking. Regards, -Roberto [0] http://packages.ubuntu.com/shorewall -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hi Roberto, Thanks for such a swift reply. My mistake with the version of Ubuntu, it is 6.06 and not 6.04 as I reported. We installed shorewall with apt-get so I assumed it was installing the latest stable version. Are you saying that different versions of Ubuntu will only install the version of shorewall it was designed with?:) I understand that nothing is totally protected and that some stuff will sneak by. I run dans at home with smoothwall and every now and then something will sneak in. But at least there is protection for the most part instead of open slather. Thank-you also for the suggestion on https. I will have a look at this issue further and let you know how I go. Once again, thanks for the quick and helpfull reply. Regards, Mike b -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Roberto C. Sánchez Sent: Tuesday, 16 October 2007 4:14 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Logon page access On Tue, Oct 16, 2007 at 03:18:46PM +0800, Michael Boughton wrote:> > We have installed and configured Ubuntu Server 6.04. (There is an > issue with 7.04 and the scsi card in the server we are using) We > installed and configured Shorewall firewall (current as of 29/8/07, > installed by "apt-get install shorewall", so I suspect it is 4.X)and > Dansguardian with these instructions from this link: >Well, AFAIK, based on looking at Ubuntu''s website, there was 6.04 release, only a 6.06 release called Dapper Drake. Further, their packages page [0] shows the following: * dapper (net): Shoreline Firewall (Shorewall) 3.0.4-1: all * edgy (net): Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter 3.0.7-1: all * feisty (net): Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter 3.2.6-2: all * gutsy (net): Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter 3.4.4-1: all So, if you really are running 6.06, then you are running a version of shorewall that is completely ancient.> > http://www.branchdistrictlibrary.org/professional/ubuntu_and_dansguard > ian_page_3.php > > > With a little bit of extra configuring due to differences in squid > versions, we got things running nicely and now the kids at the school > we are doing this for are protected from inappropriate material and > attacks.Now, this is just a philosophical point (and I say this as someone who does network support for my church and their Christian school), they are not really protected. Or they are actually not totally protected. Make sure that the people in charge of this group or organiztion understand that nothing is perfect and that stuff can still sneak by.> The problem at the moment is that you can go to a web site and that''s > fine. But if you try to log onto any website, the browser will just > sit there (after entering the username and password and pressing > enter) and eventually (10 min or more) complain it can''t find the > server. I suspect that it is a port issue. If you have a look through > the instruction from the link I have mentioned, then you''ll see that > port 443 for https is opened up for use to the net. Do logon pages use > another port? If we redirect the browsers to the old proxy, the logon > pages are instant, so I''m sure it''s a config issue either in shorewall > or Ubuntu. >It depends. If the login page for a website uses port 443, then you *must* excplicitly set your Dan''s Guardian machine as a proxy for https. The reason is that https cannot be transparently proxied like regular web traffic. That just a guess, but based on your description of the problem, it is where I would start looking. Regards, -Roberto [0] http://packages.ubuntu.com/shorewall -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Tue, Oct 16, 2007 at 04:30:58PM +0800, Michael Boughton wrote:> Hi Roberto, > > Thanks for such a swift reply. My mistake with the version of Ubuntu, > it is 6.06 and not 6.04 as I reported. We installed shorewall with > apt-get so I assumed it was installing the latest stable version. Are > you saying that different versions of Ubuntu will only install the > version of shorewall it was designed with?:) >Yes, that is right. Ubuntu (as a derivative of Debian) usually ships the same version of a package as Debian contains at a particular time. In order to ensure stability, the package versions usually do not change after release, except in the most extenuating circumstances. Especially in the case of Shorewall, which has a very short release cycle and changes often, would these changes be disruptive to administrators who expect their systems to continue behaving in the same way.> I understand that nothing is totally protected and that some stuff > will sneak by. I run dans at home with smoothwall and every now and > then something will sneak in. But at least there is protection for the > most part instead of open slather. >Sight. As long as you understand that and communicate it to the people for whom you are doing this work. As I said, it was a purely philosophical point. But especially when dealing with non-technical people, I find it important to manage expectations realistically.> Thank-you also for the suggestion on https. I will have a look at this > issue further and let you know how I go. > > Once again, thanks for the quick and helpfull reply. >No problem. Regards, -Roberto P.S. Please don''t top post. -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/