Topic: Admin-tool for firewall and Mail

[Tomas Blomqvist]

I would like to see an admin-tool for opening/closing ports for out- and in-going traffic. In my case this would be a great help to stop users from sending and recieving  files via (MSN, ICQ, Direct Connect, BearShare and other) filesharing programs and still allow theese connections from my own workstation. Another example is that i could stop users from retreving files via FTP, and still have that possibillity for myself.

Furthermore I would be gratefull for an admin-tool where I can allow/deny attachements based on the file-extention. It would also be nice if this tool had a "Global" ruleset and a ruleset that the admin can set on a user- or group-level.


/Tomas

[lt]

Sorry I had to post this looks like you are being a stingy net admin you want to block the filesharing programs but dont want your access blocked to these programs blocked ......

[Tomas Blomqvist]

That is a correct observation...

This is a security matter... alot of viruses gets in to my net this way.

Allready got this thing taken care of via email. (autoscanning on the server with RAV).

/tomas

[Niel Soulsby]

Hi Tomas

I'm sure Dansguardian will allow you to block all of the traffic you mention. Your workstation IP address would have to be put in the 'exempt IP' file - to allow all such traffic to and from your personal machine. There is a 'how to' around somewhere - though the user interface has a charge (see below). In reality the text files are self explanatory and I prefer to edit them directly.

http://www.dungog.net/sme/products/dansguardian.php

[Les Kerjenski]

This is really a question for Nigel.  Can you install the dansguardian on the SME Server then ?
It is just we currently are looking for filtering system, however I was reluctant because of the need to have additional servers.

[Les Kerjenski]

Nigel I was interested to know if this bolts on to the SME Server directly as I need to find a filter system but don't want to have to add a new server to run it.

Niel Soulsby wrote:
>
> Hi Tomas
>
> I'm sure Dansguardian will allow you to block all of the
> traffic you mention. Your workstation IP address would have
> to be put in the 'exempt IP' file - to allow all such traffic
> to and from your personal machine. There is a 'how to' around
> somewhere - though the user interface has a charge (see
> below). In reality the text files are self explanatory and I
> prefer to edit them directly.
>
> http://www.dungog.net/sme/products/dansguardian.php

[Niel Soulsby]

Les
It does 'bolt' onto SME - I have tired it (successfully) on an IPCOP firewall, a CLARKCONNECT box - and was playing with it on SME 5.5 -

The most effective way for me to use it is to set up a firewall rule to direct all internal traffic on port 80 to port 8080 (or whatever port dansguardian is listening on) while leaving the proxy transparent - I believe that this is its default setting. This stops people from getting around the filter simply by changing the proxy settings in their browser

The only catch is that I have lost the plot with how to configure the firewall changes in SME 5.6. The line that I had to add to /etc/rc.d/rc.firewall on the CLARKCONNECT box (which also uses iptables) is as follows (eth1 is my internal interface in gateway private server mode):

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

Has anyone with any clue how to do this on 5.6 ???

Again - look at:
http://dansguardian.org/ -
http://www.tiger.org/technology/dg/ - excellent log analysis via brower
http://www.dungog.net/sme/products/dansguardian.php for SME interface

Niel

[Craig Foster]

Easy...

# cat > /etc/e-smith/templates-custom/etc/squid/squid.conf/05Port
http_port 8080
^Z

# /sbin/e-smith/expand-template /etc/squid/squid.conf

# service squid restart

in /etc/dansguardian/dansguardian.conf edit these lines
"filterport = 8080"
to
"filterport = 3128"

"proxyport = 3128"
to
"proxyport = 8080"

# service dansguardian restart

viola! You're spanky new network has transparent proxying, and the group policy (you have one?) sets the proxy registry to read only and no proxy.

You transparently proxy to dansguardian, which denies certain pages, and those that are allowed are transparently proxied via squid.