Re: Re: Nice init script for firewall to force users through squid
Thanks for the input:
It is MIT licenced which is 100% GPL compatible ( you can put it under the
GPL licence - as long as the copyrigth notice appears) , but for such a
short script it is better to have anyone share it - it is no problem to
bundle it with GPL software...
I think loopys are inappropriate here as it is easier for individual
admins to modify the script then.
Actually it is designed for the tjener , but you might have to configure
your router to allow only traffic to and from tjener ( this is too router
specific - use a web interface OR connect the tjener via crossover to your
router).
Therefore an init script is the rigth place ( your workstations should not
have any direct net connection for safety)
Comments on the comments:
Loading modules should probably only be done in the 'start' part.
You need to load the modules so you can flush the ipconfig kernel tables-
Why are you accepting gid root, and not uid root?
So you can easily add people with local root access ( like , the system
consolting firm ,etc) that are not in LDAP to the group root so they don't
have to su.
The netgroup thing:
Too many filters slow down the system. Netgroups are overkill - and the
admins group in LDAP already caused me a headache ...
Actually squid can act as SOCKS proxy as well - then you can monitor ,
filter and control the stuff via that .
Only daemons ( performance, actually these are system daemons and
protocols like inetd) and root users ( you don't want to log yourself out
;) ) should be allowed to bypass it ...
Hope I explained a bit ,
Julian Bangert
Reply to: