[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Nice init script for firewall to force users through squid

Thanks for the input:
It is MIT licenced which is 100% GPL compatible ( you can put it under the GPL licence - as long as the copyrigth notice appears) , but for such a short script it is better to have anyone share it - it is no problem to bundle it with GPL software... I think loopys are inappropriate here as it is easier for individual admins to modify the script then. Actually it is designed for the tjener , but you might have to configure your router to allow only traffic to and from tjener ( this is too router specific - use a web interface OR connect the tjener via crossover to your router). Therefore an init script is the rigth place ( your workstations should not have any direct net connection for safety)

Comments on the comments:
Loading modules should probably only be done in the 'start' part.

You need to load the modules so you can flush the ipconfig kernel tables-

Why are you accepting gid root, and not uid root?
So you can easily add people with local root access ( like , the system consolting firm ,etc) that are not in LDAP to the group root so they don't have to su.

The netgroup thing:

Too many filters slow down the system. Netgroups are overkill - and the admins group in LDAP already caused me a headache ... Actually squid can act as SOCKS proxy as well - then you can monitor , filter and control the stuff via that . Only daemons ( performance, actually these are system daemons and protocols like inetd) and root users ( you don't want to log yourself out ;) ) should be allowed to bypass it ...

Hope I explained a bit ,

Julian Bangert

Reply to: