LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-01-2007, 07:26 AM   #16
rsean
LQ Newbie
 
Registered: Jun 2007
Posts: 15

Rep: Reputation: 0

Quote:
Originally Posted by javaroast
For what it's worth you can find rseans talking about safesquid all over the internet on various forums. Basically with the same "We use safesquid" format. Seems to me to be kind of spammy, but I hope you can contribute in other ways to the forum as well
I would be so glad to do that, but you see, I am not an expert in Linux. I was introduced to SafeSquid by a colleague, who also set it up for me at our office, and is now managed by me. It helped solve a lot of issues that were bugging us. It made me realize that you do not have to be an expert in Linux to make use of it's immense powers. There are so many other poor guys like me, with limited knowledge of Linux, looking for similar solution? Can I, in some way, help them with my experience? That's my only intention. I would seriously like to apologize, if in doing so, I have harmed anyone's feelings.

Regards
 
Old 07-01-2007, 09:48 PM   #17
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Ok so the
Quote:
ACL CONNECT method CONNECT
you used it in you example to block users from connecting to other https ports and only allow 443 to be access by the network... so i guess this can also be used on other ports?

how come i cant find this technique on all Squid tutorials that i found on the internet...
 
Old 07-02-2007, 02:22 AM   #18
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
Ok so the you used it in you example to block users from connecting to other https ports and only allow 443 to be access by the network...
Sort of. When we implement this ACL we are saying "deny the CONNECT method to anything that isn't going to port 443". That's what the exclamation mark means, it inverts the match. We do this because we know we don't need CONNECT used for HTTP, only for HTTPS.

Quote:
so i guess this can also be used on other ports?
Yes, if you wanted clients to tunnel through to other ports you could use this. Notice how in a default Squid configuration you have an ACL called "SSL_ports" which lists other ports beside 443 that would need to use CONNECT, such as port 563 (NNTP over SSL) for example.

Quote:
how come i cant find this technique on all Squid tutorials that i found on the internet...
Not sure, but the CONNECT ACL and the rule are part of the default Squid configuration.

Last edited by win32sux; 07-02-2007 at 02:57 AM.
 
Old 07-02-2007, 03:43 AM   #19
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
I find this on 1 website can this also be possible

Quote:
acl block_port port 1234
http_access deny block_port
http_access allow all
 
Old 07-02-2007, 07:59 AM   #20
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
I find this on 1 website can this also be possible

acl block_port port 1234
http_access deny block_port
http_access allow all
Sure, but that's a default-allow (blacklist) approach, which in the long run is much less practical and effective than a default-deny (whitelist) approach.

Last edited by win32sux; 07-02-2007 at 09:29 AM.
 
Old 07-02-2007, 10:25 AM   #21
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Speaking of whitelist, in our Squid.conf all sites are whitelisted and i used txt file to store sites that can be accessed. i use this approach:

Quote:
http_access my_network allowedsites
but what about in port how do you whitelist them and allow only those you want. can they be the same approach?
 
Old 07-02-2007, 11:01 AM   #22
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
but what about in port how do you whitelist them and allow only those you want. can they be the same approach?
When you specify a port for each rule you are already whitelisting. Like in my example:
Code:
http_access allow my_network HTTPS_port allowed_https_sites
http_access allow my_network HTTP_port
http_access deny all
That's basically whitelisting HTTPS_port and HTTP_port, because a connection to any other port would not match either of the allow rules and would therefore run into the deny one. Squid confs should always be whitelist-based IMHO.
 
Old 07-02-2007, 08:30 PM   #23
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
oh ok...

but when you whitelist ports how do you specify a port where squid will listen? in my squid.conf i used 8080 so if i will whitelist ports do i still have to place it in the squid.conf or not?

ex.
Quote:
http_port 8080
http_access allow my_network HTTPS_port allowed_https_sites
http_access allow my_network HTTP_port
http_access deny all
 
Old 07-02-2007, 10:31 PM   #24
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
but when you whitelist ports how do you specify a port where squid will listen? in my squid.conf i used 8080 so if i will whitelist ports do i still have to place it in the squid.conf or not?
The port Squid listens on doesn't need to be in an ACL. The port ACLs only refer to ports on the destination server. The http_port directive shouldn't be confused with the HTTP_port ACL name I used in my example. If you wish to control who can connect to the port Squid is listening on you'd need to use iptables.

Last edited by win32sux; 07-02-2007 at 10:32 PM.
 
Old 07-02-2007, 10:52 PM   #25
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
ok now everything is clear... i have also checked dansguardian and it seems that some of its capabilites are the same with squid. correct me if im wrong but isnt it that squid can also block sites if its contents contains word like porn, sex...etc..
 
Old 07-02-2007, 11:43 PM   #26
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
ok now everything is clear... i have also checked dansguardian and it seems that some of its capabilites are the same with squid. correct me if im wrong but isnt it that squid can also block sites if its contents contains word like porn, sex...etc..
Squid is limited to looking for those words in the URL. DansGuardian can look for them anywhere on the web page itself, the actual "content".

Last edited by win32sux; 07-02-2007 at 11:45 PM.
 
Old 07-03-2007, 12:15 AM   #27
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Ok....

Just one quick question on dansguardian... can it detect file download and deny it if the user or ip is restricted on downloading file? or will it just block the entire site where the file can be downloaded.
 
Old 07-03-2007, 01:51 AM   #28
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
Just one quick question on dansguardian... can it detect file download and deny it if the user or ip is restricted on downloading file?
Yes.

Quote:
or will it just block the entire site where the file can be downloaded.
No, if you tell DansGuardian to filter .zip files (for example) then http://www.example.net/file.zip would be filtered, while http://www.example.net/ and everything within it will still be accessible, unless they get filtered by another match, such as pornographic content, etc. Oh, and yes, you can specify which IPs the restrictions apply to. Sorry I can't be more specific, it's been a while since I've configured a DansGuardian install.

Last edited by win32sux; 07-03-2007 at 01:53 AM.
 
Old 07-03-2007, 08:13 PM   #29
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Wow thats cool. do you know any other documentation of dansguardian aside from those doc in the dansguardian website
 
Old 07-03-2007, 11:06 PM   #30
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
Wow thats cool. do you know any other documentation of dansguardian aside from those doc in the dansguardian website
Not really, although I would imagine there's several howtos on the web.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linksys WRT54G Access Restrictions pljvaldez Linux - Networking 7 11-13-2006 03:02 AM
Access restrictions in Redhat to connect to the web sadhanandh Linux - Newbie 7 12-11-2003 04:12 AM
User and Group access restrictions? KendersPlace Linux - Security 1 08-20-2003 05:32 PM
How to remove FTP access restrictions goodman Linux - Newbie 4 08-16-2003 06:07 PM
FTP access using root account - restrictions alaerte Linux - Software 7 04-03-2003 01:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration