Re: netblock & examinations on jessie
Replying to myself.
It looks like working well the idea to drop traffic
outgoing to the 3128 port for examination purposes
Regards
Giorgio
Here below the diff patch
********************************
--- old/debian-edu-update-netblock 2017-03-17 11:39:46.265624382 +0100
+++ new/debian-edu-update-netblock 2017-03-17 11:45:28.708776912 +0100
@@ -88,7 +88,9 @@
# cycles ... but don't overdo it ;)
for subnet in $localnet $privatenet $internalnet ; do
- echo "-A OUTPUT -d $subnet -j ACCEPT" >> $filterfile
+ # Add web proxy netblock before general ACCEPT on OUTPUT chain
+ echo "-A OUTPUT -d $subnet -p tcp --dport 3128 -j DROP" >> $filterfile
+ echo "-A OUTPUT -d $subnet -j ACCEPT" >> $filterfile
done
for user in $privilegedusers ; do
************************************
On Tue, Mar 14, 2017 at 02:49:49PM +0100, Giorgio Pioda wrote:
> Hi,
>
> in the past I usually used the NIS netblock group
> combined with a temporary switch off of the squid server
> to provide isolated machines for the practical
> IT examinations.
>
> But with the new firefox policy, switching off squid3
> results in a complete netblock for all the WS and RWS
> since the browser is not any more allowed to get
> direct access to the external network.
>
> Any idea to circumvent the problem? I can imagine
> that a modified client netblock script that blocks
> IP traffic on tjener:80 would be a better fix.
>
> Regards
>
> Giorgio
> --
> Giorgio Pioda - Sysadmin SPSE-Tenero
> Cell +41 79 629 20 63
> Tel +41 58 468 62 48
>
>
--
Giorgio Pioda - Sysadmin SPSE-Tenero
Cell +41 79 629 20 63
Tel +41 58 468 62 48
Reply to: