LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2006, 10:56 PM   #1
TomGibbons
Member
 
Registered: Sep 2003
Location: San Diego, CA
Distribution: Fedora 8 and CentOS 5.1
Posts: 31

Rep: Reputation: 15
Set System Wide Proxy Address


If possilbe I want to set a proxy address for all users that can only be changed by root. Right now, I'm using IP tables to redirect port 80 traffic to the port that my proxy is running on but I would like to have my proxy run on my server and for my workstations to use that one proxy.

Does anyone have any ideas?
 
Old 08-17-2006, 03:39 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
there is no single system wide proxy on linux, you would set it at a low level for low level apps, like wget using the http_proxy environment variable, but higher up gnome and KDE hold their own details like this in their own configuration service, gconf for gnome.
 
Old 08-17-2006, 05:36 AM   #3
TomGibbons
Member
 
Registered: Sep 2003
Location: San Diego, CA
Distribution: Fedora 8 and CentOS 5.1
Posts: 31

Original Poster
Rep: Reputation: 15
Do you know of any way that I can stop people unsetting their Firefox proxy address?
 
Old 08-17-2006, 06:48 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
no, unkless there are suitable lockdown extensions available, but if they unset their proxy, then the surely their access should fail due to a firewall blocking them? otherwise you're implying there is a lack of security on your network...?
 
Old 08-17-2006, 07:13 AM   #5
TomGibbons
Member
 
Registered: Sep 2003
Location: San Diego, CA
Distribution: Fedora 8 and CentOS 5.1
Posts: 31

Original Poster
Rep: Reputation: 15
You know, that had slipped my mind - it would be blocked by the firewall. Thanks Chris.
 
Old 08-23-2006, 01:20 PM   #6
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
I am running SmoothWall Express on my firewall, which uses dnsmasq & squid. It seamlessly proxies everyone on the LAN.

At present, I use dnsmasq's blocking capabilities, but that is because it is simpler & therefore less powerful. Eventually, I'll learn squid's more powerful syntax & use that.

Hope this helps.
 
Old 08-23-2006, 02:14 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
what are dnsmasq's blocking capabilities? how does a DNS / DHCP server help here?
 
Old 08-23-2006, 06:04 PM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
dnsmasq blocks in the following ways:
  1. Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
  2. Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
    Code:
    address=/obnoxious_advertiser.ru/127.0.0.1
    address=/doubleclick.net/127.0.0.1

If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".

An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage

Sorry I didn't post any links before.
 
Old 08-23-2006, 11:25 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by archtoad6
dnsmasq blocks in the following ways:
  1. Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
  2. Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
    Code:
    address=/obnoxious_advertiser.ru/127.0.0.1
    address=/doubleclick.net/127.0.0.1

If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".

An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage

Sorry I didn't post any links before.
still, not only is that an ineffective way to filter web usage, it also has nothing to do with enforcing proxy server usage - which is the thread's topic...

Last edited by win32sux; 08-24-2006 at 12:06 AM.
 
Old 08-24-2006, 01:48 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Quote:
Originally Posted by archtoad6
dnsmasq blocks in the following ways:
  1. Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
  2. Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
    Code:
    address=/obnoxious_advertiser.ru/127.0.0.1
    address=/doubleclick.net/127.0.0.1

If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".

An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage

Sorry I didn't post any links before.
i've been using dnsmasq myself for a long time, one nice benefit is that it integrates dhcp leases and dns instantly by default, no complex trust keys with dhcpd and bind... but that's only a "block" from the reason you are doing those commands, it's actually just using dnsmasq's standard dns configurations and plain lying about an address... not exactly ideal. one thing that may be relevant in this situation is whether you actually do wish to provide global dns to the internal clients by default. if their web access needs to be via a proxy then they don't need to resolve those names...

Last edited by acid_kewpie; 08-24-2006 at 01:50 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how do I set a system wide enviroment variable? (not just bash) drkstr Linux - Newbie 11 04-19-2006 10:09 AM
How to modify the system-wide PATH jayhel Slackware - Installation 8 04-22-2005 04:00 AM
System Wide Permission lmanwarren Linux - General 1 03-29-2005 09:15 PM
Where are system-wide blackbox configs? Erik Thorsson Linux - Software 1 01-30-2005 09:41 PM
System wide Environment variables Steave Linux - General 1 02-08-2002 06:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration