Re: Re: Nice init script for firewall to force users through squid
Thanks for the input:
It is MIT licenced which is 100% GPL compatible ( you can put it under the
GPL licence - as long as the copyrigth notice appears) , but for such a
short script it is better to have anyone share it - it is no problem to
bundle it with GPL software...
I think loopys are inappropriate here as it is easier for individual
admins to modify the script then.
Actually it is designed for the tjener , but you might have to configure
your router to allow only traffic to and from tjener ( this is too router
specific - use a web interface OR connect the tjener via crossover to your
Therefore an init script is the rigth place ( your workstations should not
have any direct net connection for safety)
Comments on the comments:
Loading modules should probably only be done in the 'start' part.
You need to load the modules so you can flush the ipconfig kernel tables-
So you can easily add people with local root access ( like , the system
consolting firm ,etc) that are not in LDAP to the group root so they don't
have to su.
Why are you accepting gid root, and not uid root?
The netgroup thing:
Too many filters slow down the system. Netgroups are overkill - and the
admins group in LDAP already caused me a headache ...
Actually squid can act as SOCKS proxy as well - then you can monitor ,
filter and control the stuff via that .
Only daemons ( performance, actually these are system daemons and
protocols like inetd) and root users ( you don't want to log yourself out
;) ) should be allowed to bypass it ...
Hope I explained a bit ,