Topic: Configuring Firewall

[janet]

sdpiowa

So if I install DansGuardian, I have to set all the computers up to use it as a proxy, correct?

Without wanting to appear abrupt or rude (as some people seem to object to being told to read the manual), this is a classic case where your question is already answered.

I suggest you read the Dansguardian howto,
http://wiki.contribs.org/Dansguardian
and
http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing

as that mentions setting the Transparent Proxy port to 8080 in sme server, and enabling portblocking of 3128 & 80 to prevent bypassing, and that way all your workstations can use the (typical) web browser default setting of auto proxy detect, and web browsing will be effectively forced via dansguardian.

sme has a smtp proxy and a http proxy and they are used by default.

Your system "power" is barely adequate, but how well it runs will depend on usage. If you have high volumes of email and enable spam filtering and virus scanning then more processing power and especially more RAM will be needed.

For a small system with just a few users and low volumes, that spec will just run OK. More RAM is really needed though.

I ran a small office on a Celeron 500MHz with 256Mb RAM and a couple of 80Gb disks in RAID1 with about 6 users, for the last three years. It was slow when making server manager changes, but performed OK for everything else.

System spec really depends on your needs/demands/performance expectation/email & data volumes.

[sdpiowa]

As of right now, this is just a "home server."

[janet]

sdpiowa

this is just a "home server."

It should be adequate then, but do enable RBL lists, and executable content filtering as these will reject a large volume of incoming spam & virus infected messages before they enter your system.
The smaller amount of RAM will then be able to cope, as you are not likely to be scanning lots of messages with viruses or spam (which need/use lots of RAM & processor power).

[sdpiowa]

Will the server filter spam that is coming through MSN webmail?  That's what we use.  Also, I think I have enough RAM to upgrade it to 1.5 GB.

[janet]

sdpiowa

If you login to msn webmail, then you are running an application on msn's server, and therefore reliant upon that site doing spam & virus filtering.

If you want to avail of the benefits of sme server (and use it's spam & filtering techniques), then configure any external free acccounts etc to forward mail to a sme server domain user account. Setup sme to use the smtp mail server  and create a real domain (either free at dyndns etc or a paid for domain name of your choice).

Users can log in to sme servers webmail (horde), from anywhere.

[David Harper]

I'm really wanting to make sure that Confiker doesn't get installed.  If Confiker, for instance, were to get on the machine, would it also be forced to go through the proxy?

Yes, if correctly configured DansGuardian should block all unauthenticated access attempts.

EDIT: If, in theory, a worm were to steal the proxy login details (e.g. via a keylogger) it could theoretically authenticate to the proxy. In a situation like this, you might have some luck with the dungog-blacklists package, or you might be out of luck.

[sdpiowa]

If, in theory, a worm were to steal the proxy login details (e.g. via a keylogger) it could theoretically authenticate to the proxy. In a situation like this, you might have some luck with the dungog-blacklists package, or you might be out of luck.

So, I would have to require proxy authentication to do this, correct?  As far as the virus is concerned, OpenDNS (which we have installed in our router) should block all Confiker communication attempts (http://blog.opendns.com/2009/03/30/worried-about-conficker-on-april-1-setting-up-opendns-can-protect-your-network/), I was just wanting to keep our network from getting the virus.

Thank you all for your responses!  I know it might be frustrating for some of you that I ask so many questions, but I'm not as familiar with a Linux server as a desktop.

[arne]

OpenDNS (which we have installed in our router) should block all Confiker communication attempts (http://blog.opendns.com/2009/03/30/worried-about-conficker-on-april-1-setting-up-opendns-can-protect-your-network/),

I guess this will not prevent your network from being infected, but it will limit the damage after an infection has happened, on your network. (?!)

[sdpiowa]

OK.  I tried to install DansGuardian by using the following command:
yum --enablerepo=smecontribs install smeserver-dansguardian

I always get the following error messages:

Error: Missing Dependency: libclamav.so.5 is needed by package dansguardian
Error: Missing Dependency: libclamav.so.5(CLAMAV_PUBLIC) is needed by package dansguardian
---------------------------------------------------------------
---------------------------------------------------------------
No new rpms were installed.  No additional commands are required.
---------------------------------------------------------------
---------------------------------------------------------------

I've done searches and can't seem to come up with an answer for this.  It may be an easy fix, but I'm not seeing it.

By the way, I did read the manual and tried everything it said.

[David Harper]

This is a bug that is almost fixed (hopefully). See http://bugs.contribs.org/show_bug.cgi?id=5111 for more information.