Obsolete Releases > SME 8.x Contribs

Dansguardian + NCSA Auth

<< < (3/3)

Stefano:

--- Quote from: Gert on January 21, 2016, 02:03:12 AM ---Seems like you can block any port except for port 80.

--- End quote ---

in https://wiki.contribs.org/Firewall#Block_outgoing_ports page I read

--- Quote ---eg to block all outbound traffic except that passed by the smtp & httpd proxies
config setprop masq TCPBlocks 0.0.0.0/0:1-65535
config setprop masq UDPBlocks 0.0.0.0/0:1-65535
eg to leave open some ports ie 222 & 2000-2010, block in ranges
config setprop masq TCPBlocks 0.0.0.0/0:1-221,0.0.0.0/0:223-1999,0.0.0.0/0:2011-65535

--- End quote ---

which sound exactly what you want to achieve..
if something isn't working, please tell us what you did, how you did, the output of

--- Code: ---iptables -L

--- End code ---

and give us some info about your lan, setup and so on

Gert:
Hi Stefano,

Thank you for your reply. I tried that and I was almost 100% sure it didn't work. However I just tried it now on a test server (without dansguardian installed) and it actually did work, outgoing port 80 was blocked. I will setup a test server with dansguardian installed and try it again. Will report back.

Gert:
Ok, I installed a test server with dansguardian installes and used http://wiki.contribs.org/Firewall#Block_outgoing_ports to block direct access to port 80. That worked fine. The problem is now that dansguardian is not working unless squid is running so I need to block direct access to squid too. I tried to achieve that by with the following commands:


--- Code: ---config setprop squid access local
signal-event post-upgrade
signal-event reboot
--- End code ---

But that seems to have no effect. any ideas?

janet:
Gert

Here is my sme9
config show squid
squid=service
    EnforceSafePorts=no
    SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
    TCPPort=3128
    TCPProxyPort=80:3128
    TransparentPort=3128
    access=private
    status=enabled

So I suggest you use private rather than local
ie
config setprop squid access private
signal-event post-upgrade
signal-event reboot

Gert:
Hi Janet

The way I understand 3 different values for the firewall setting "access" is:

public - Allows access from anywhere (internet + local network + server)
private - Allows access only from local network + server
local - Allows access only from server, blocks access from internet and local network

"squid access private" is the default setting, that allows the local network to connect to it, which is what I am trying to block. I only want dansguardian to access squid and the local network to access dansguardian.

Navigation

[0] Message Index

[*] Previous page

Go to full version