Re: Nice init script for firewall to force users through squid
On Mon, 07 Jul 2008, Holger Levsen wrote:
But anyway, I dont think Debian Edu should ship low level firewall scripts
based on iptables. Thats way too complicated and error-prone. Instead I'd
suggest we use a shorewall based solution.
or "ferm"
in ferm the postes rules would show like:
table filter chain OUTPUT {
saddr (10.0.0.0/8 192.168.0.0/16 127.0.0.1) ACCEPT;
owner gid-owner (proxy daemon root admins) ACCEPT;
owner uid-owner (bind www-data) ACCEPT;
}
table filer chain (OUTPUT FORWARD) {
mod limit limit 1/minute limit-burst 10 ULOG ulog-prefix "rejected";
proto tcp REJECT reject-with tcp-reset;
REJECT reject-with icmp-port-unreachable;
}
i don't like DROP and the default policy DROP is also not very nice to
admins which work remote and trie to reloard their rules. also debugging
is a lot simpler with some logs.
ferm also knows functions .. and stuff like that.
--
Florian Reitmeir
Reply to: