Topic: Dansguardian + NCSA Auth

[Gert]

How can I prevent users from bypassing dansguardian when using NCSA Authentication.

Code: [Select]

Configure your SME Server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080

If you wish to authenticate users when opening a browser using pam auth method, then you will need to disable Transparent Proxy as it is not compatible with this method.

So with the transparent proxy disabled it is easy to bypass dansguardian and that defeats the whole purpose of using dansguardian in the first place. Or am I missing something?

[janet]

Gert

Where does it say that in relation to pam auth.
I think you are quoting that out of context.

The section about Filter Groups and Auth login is where it is mentioned, so avoid using Filter groups & you will be OK.

[Gert]

Hi Janet

Thank you for the reply. My apologies, I failed to mention I have to use filter groups. And you mentioned without using filter groups it works as expected.

I believe it is same case with NCSA as it is with PAM. So to rephrase my question: How can I prevent bypassing dansguardian when using filter groups?

[janet]

Gert

Well you need to consider how the users can bypass dansguardian.
Generally speaking you would need to lock down the settings in workstation Windows (or other desktop software) so users cannot make changes to the proxy server settings in their browser etc eg use of group policies in Windows & such like.
Lock/force access to port 8080 by preventing users from changing that in their browser.

to rephrase my question: How can I prevent bypassing dansguardian when using filter groups?

[Gert]

Unfortunately that will not be possible, as there are constantly new computers on the network as well as phones and tablets. I have to find a way to block port 80 on the lan side.

[janet]

Gert
iptables & masq
search/read the FAQ etc

[Gert]

I have searched and tried everything I could find. I also tried blocking as per http://wiki.contribs.org/Firewall#Block_outgoing_ports.

Seems like you can block any port except for port 80. Im sure the MUST be a way to do this, I just cant seem to find it. Im also sure there are lots of people sitting with the same issue. Any one have any ideas?

[guest22]

Gert, maybe it is related to your issue, there is a discussion going on here http://bugs.contribs.org/show_bug.cgi?id=9192

[janet]

Gert

I am not particularly knowledgable on iptables, but I think you may have to find the default rule that is already allowing port 80 outgoing, & alter/change that, as probably the outgoing rule is overriding your (later in the process order) blocking rule.
Otherwise put your blocking rule ahead of the default allowing rule (???).

Read up on iptables & do not overlook what sme server is already configured to do.

[Gert]

So far this is a dead end for me.

Gert, maybe it is related to your issue, there is a discussion going on here http://bugs.contribs.org/show_bug.cgi?id=9192

This is seems to be related indeed.

The only solution I can think of is to not use filter groups and run multiple sme servers, one per "filter group"

[Stefano]

Seems like you can block any port except for port 80.

in https://wiki.contribs.org/Firewall#Block_outgoing_ports page I read

eg to block all outbound traffic except that passed by the smtp & httpd proxies
config setprop masq TCPBlocks 0.0.0.0/0:1-65535
config setprop masq UDPBlocks 0.0.0.0/0:1-65535
eg to leave open some ports ie 222 & 2000-2010, block in ranges
config setprop masq TCPBlocks 0.0.0.0/0:1-221,0.0.0.0/0:223-1999,0.0.0.0/0:2011-65535

which sound exactly what you want to achieve..
if something isn't working, please tell us what you did, how you did, the output of

Code: [Select]

iptables -L

and give us some info about your lan, setup and so on

[Gert]

Hi Stefano,

Thank you for your reply. I tried that and I was almost 100% sure it didn't work. However I just tried it now on a test server (without dansguardian installed) and it actually did work, outgoing port 80 was blocked. I will setup a test server with dansguardian installed and try it again. Will report back.

[Gert]

Ok, I installed a test server with dansguardian installes and used http://wiki.contribs.org/Firewall#Block_outgoing_ports to block direct access to port 80. That worked fine. The problem is now that dansguardian is not working unless squid is running so I need to block direct access to squid too. I tried to achieve that by with the following commands:

Code: [Select]

config setprop squid access local
signal-event post-upgrade
signal-event reboot
But that seems to have no effect. any ideas?

[janet]

Gert

Here is my sme9
config show squid
squid=service
    EnforceSafePorts=no
    SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
    TCPPort=3128
    TCPProxyPort=80:3128
    TransparentPort=3128
    access=private
    status=enabled

So I suggest you use private rather than local
ie
config setprop squid access private
signal-event post-upgrade
signal-event reboot

[Gert]

Hi Janet

The way I understand 3 different values for the firewall setting "access" is:

public - Allows access from anywhere (internet + local network + server)
private - Allows access only from local network + server
local - Allows access only from server, blocks access from internet and local network

"squid access private" is the default setting, that allows the local network to connect to it, which is what I am trying to block. I only want dansguardian to access squid and the local network to access dansguardian.