Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: pietdejong on August 08, 2004, 10:16:17 AM

Title: Dansguardian & access to server manager
Post by: pietdejong on August 08, 2004, 10:16:17 AM

Hi All,

I installed DansGuardian. Filtering works fine.

However because DansGuardian will block port 80, I no longer have access to the server manager.

The problem in the firewall rules is pasted below.
If I remove the last 2 rules ( port 80 ) then i have access again, but then anyone not using port 8080 for proxy will bypass DansGuardian.
I have seen numerous posts regrading DansGuardian, and I find it strange that nobody else has this problem .....

Any help is appreciated
thanks
Piet


 for network in 192.168.1.0/255.255.255.0
    do
        /sbin/iptables -A $NEW_local_chk -s $network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A $NEW_local_chk -d $network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A $NEW_local_chk -s $network -p tcp --destination-port 80 -j DROP
        /sbin/iptables -A $NEW_local_chk -d $network -p tcp --destination-port 80 -j DROP
    done

Title: Dansguardian & access to server manager
Post by: byte on August 08, 2004, 11:53:35 AM

Hi,

You should still be able to get access to your server manager by typing...

http://youripnumber:980/e-smith-manager

Title: Re: Dansguardian & access to server manager
Post by: raem on August 08, 2004, 03:31:18 PM

pietdejong

What custom-template did you put those rules in ?
I would like to add it to my Dansguardian HOWTO.
Thanks

Title: Dansguardian & access to server manager
Post by: pietdejong on August 10, 2004, 06:56:24 AM

Byte,
Using your suggestion did not seem to work, I saw the directives in httpd.conf, but it only seems to allow it form localhost.

Title: Dansguardian & access to server manager
Post by: chris burnat on August 10, 2004, 09:09:25 AM

have you tried https?  I had this problem running Dans under PAM AUTH, fixed it...  Its a great program - check dungog.net latest  release, includes antivirus scan using clamav.  chris

Title: Dansguardian & access to server manager
Post by: pietdejong on August 12, 2004, 09:38:52 AM

Yes https does work, but it seems like the proxy auto-discover no longer works, since that is still trying to access wpad on port 80 ..

Thanks

Title: Dansguardian & access to server manager
Post by: chris burnat on August 12, 2004, 11:45:20 AM

I am a little out of my depth here, but I think that "when filtering on port 8080 access to 3128 & 80 has been disabled, this is to stop the filter being bypassed, unfortunatly this also disables proxy.pac"  chris

Title: Dansguardian & access to server manager
Post by: pietdejong on August 31, 2004, 07:47:57 AM

This seems todo the trick for me:
    for network in $locals
    do
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -d \$network -j ACCEPT
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -j DROP
        #/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 80 -j DROP
    done


I commented out the last line, since I have no idea what it does.
The third line will allow access to server-manager etc.
The fourth line disables transparency, so if someone has not setup their proxy they will not be able to bypas SME server.

Title: Dansguardian & access to server manager
Post by: Henk on September 01, 2004, 12:03:18 AM

where did you change these settings?

I guess you made a custom template of
/etc/rc.d/init.d/masq/90local_chk50networks ?

But I'm not sure if this, and I wonder if you added these lines or deleted the original line between do and drop.

I tried these settings in a custom template, but that didn't work.