Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-16-2006, 10:56 PM
|
#1
|
Member
Registered: Sep 2003
Location: San Diego, CA
Distribution: Fedora 8 and CentOS 5.1
Posts: 31
Rep:
|
Set System Wide Proxy Address
If possilbe I want to set a proxy address for all users that can only be changed by root. Right now, I'm using IP tables to redirect port 80 traffic to the port that my proxy is running on but I would like to have my proxy run on my server and for my workstations to use that one proxy.
Does anyone have any ideas?
|
|
|
08-17-2006, 03:39 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
there is no single system wide proxy on linux, you would set it at a low level for low level apps, like wget using the http_proxy environment variable, but higher up gnome and KDE hold their own details like this in their own configuration service, gconf for gnome.
|
|
|
08-17-2006, 05:36 AM
|
#3
|
Member
Registered: Sep 2003
Location: San Diego, CA
Distribution: Fedora 8 and CentOS 5.1
Posts: 31
Original Poster
Rep:
|
Do you know of any way that I can stop people unsetting their Firefox proxy address?
|
|
|
08-17-2006, 06:48 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
no, unkless there are suitable lockdown extensions available, but if they unset their proxy, then the surely their access should fail due to a firewall blocking them? otherwise you're implying there is a lack of security on your network...?
|
|
|
08-17-2006, 07:13 AM
|
#5
|
Member
Registered: Sep 2003
Location: San Diego, CA
Distribution: Fedora 8 and CentOS 5.1
Posts: 31
Original Poster
Rep:
|
You know, that had slipped my mind - it would be blocked by the firewall. Thanks Chris.
|
|
|
08-23-2006, 01:20 PM
|
#6
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
I am running SmoothWall Express on my firewall, which uses dnsmasq & squid. It seamlessly proxies everyone on the LAN.
At present, I use dnsmasq's blocking capabilities, but that is because it is simpler & therefore less powerful. Eventually, I'll learn squid's more powerful syntax & use that.
Hope this helps.
|
|
|
08-23-2006, 02:14 PM
|
#7
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
what are dnsmasq's blocking capabilities? how does a DNS / DHCP server help here?
|
|
|
08-23-2006, 06:04 PM
|
#8
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
dnsmasq blocks in the following ways: - Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
- Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
Code:
address=/obnoxious_advertiser.ru/127.0.0.1
address=/doubleclick.net/127.0.0.1
If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".
An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage
Sorry I didn't post any links before.
|
|
|
08-23-2006, 11:25 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by archtoad6
dnsmasq blocks in the following ways: - Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
- Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
Code:
address=/obnoxious_advertiser.ru/127.0.0.1
address=/doubleclick.net/127.0.0.1
If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".
An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage
Sorry I didn't post any links before.
|
still, not only is that an ineffective way to filter web usage, it also has nothing to do with enforcing proxy server usage - which is the thread's topic...
Last edited by win32sux; 08-24-2006 at 12:06 AM.
|
|
|
08-24-2006, 01:48 AM
|
#10
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Quote:
Originally Posted by archtoad6
dnsmasq blocks in the following ways: - Its hosts file is, in effect, a master hosts for the entire network. No need to duplicate to every box on the LAN.
- Its config file, dnsmasq.conf, allows domain by domain blocking w/ a syntax almost as simple as hosts'. (This can be done w/ bind, but I wouldn't call it simple.) -- No need to discover & block each new host (e.g. "ad666.obnoxious_advertiser.ro"), just kill the whole domain w/ 1 line:
Code:
address=/obnoxious_advertiser.ru/127.0.0.1
address=/doubleclick.net/127.0.0.1
If you're asking if there is an advantage to combining DHCP & DNS in 1 server daemon, I haven't noticed it yet. It's just the way dnsmasq was written -- for the firewall "market".
An article: http://www.linux.org/apps/AppId_6060.html
and the Homepage
Sorry I didn't post any links before.
|
i've been using dnsmasq myself for a long time, one nice benefit is that it integrates dhcp leases and dns instantly by default, no complex trust keys with dhcpd and bind... but that's only a "block" from the reason you are doing those commands, it's actually just using dnsmasq's standard dns configurations and plain lying about an address... not exactly ideal. one thing that may be relevant in this situation is whether you actually do wish to provide global dns to the internal clients by default. if their web access needs to be via a proxy then they don't need to resolve those names...
Last edited by acid_kewpie; 08-24-2006 at 01:50 AM.
|
|
|
All times are GMT -5. The time now is 09:06 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|