[K12OSN] Locking Down Firefox

James P. Kinney III jkinney at localnetsolutions.com
Wed Oct 4 21:22:45 UTC 2006 

On Wed, 2006-10-04 at 10:51 -1000, R. Scott Belford wrote:
> James P. Kinney III wrote:
> > You can make the prefs owned by root (or another user that students
> > can't log in as) and world readable but not world writeable.
> 
> Thanks, James.  It already is.
> 
> 
>    File: `/usr/lib/firefox-1.5.0.7/greprefs/all.js'
>    Size: 61067           Blocks: 128        IO Block: 4096   regular file
> Device: 902h/2306d      Inode: 3718157     Links: 1
> Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
> Access: 2006-10-03 17:24:23.000000000 -1000
> Modify: 2006-10-03 17:21:00.000000000 -1000
> Change: 2006-10-03 17:21:00.000000000 -1000
> 
> 
> I reckon that I can customize each ~/home/ file, but this is not 
> sysadmin friendly for a multitude of users.  I do not have scripting 
> skills.  As it stands, a savvy kid and go edit/preferences and set his 
> connection settings for a direct connection to the Internet thus 
> circumventing the above file.  To get to nakedness on the Internet, gets 
> get savvy pretty fast.

Ah! Hormones do drive a certain level of tech savvy. :)

A better work around is to force ALL web traffic through the gateway to
go through the squidguard/dansguardian filter using iptables trickery.
The kids at the terminals can't monkey with that. 

iptables -A PREROUTING -p tcp -m tcp ! -d <your IP address scheme>/<your
net mask> -i <your incoming ethx device> --dport 80 -j REDIRECT
--to-port 3128

Do the same thing again for --dport 440 to grab the https traffic and
last but not least
iptables -A INPUT -p tcp -m tcp -i <you incoming ethx device> --sport
3128 -j ACCEPT
to accept packets into the squid proxy. squid will talk to dansguardian
by localhost sockets with are (usually) not blocked.
> 
> --scott
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20061004/f3ff85e5/attachment.sig>

More information about the K12OSN mailing list