[K12OSN] Locking Down Firefox
James P. Kinney III
jkinney at localnetsolutions.com
Wed Oct 4 21:22:45 UTC 2006
On Wed, 2006-10-04 at 10:51 -1000, R. Scott Belford wrote:
> James P. Kinney III wrote:
> > You can make the prefs owned by root (or another user that students
> > can't log in as) and world readable but not world writeable.
>
> Thanks, James. It already is.
>
>
> File: `/usr/lib/firefox-1.5.0.7/greprefs/all.js'
> Size: 61067 Blocks: 128 IO Block: 4096 regular file
> Device: 902h/2306d Inode: 3718157 Links: 1
> Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2006-10-03 17:24:23.000000000 -1000
> Modify: 2006-10-03 17:21:00.000000000 -1000
> Change: 2006-10-03 17:21:00.000000000 -1000
>
>
> I reckon that I can customize each ~/home/ file, but this is not
> sysadmin friendly for a multitude of users. I do not have scripting
> skills. As it stands, a savvy kid and go edit/preferences and set his
> connection settings for a direct connection to the Internet thus
> circumventing the above file. To get to nakedness on the Internet, gets
> get savvy pretty fast.
Ah! Hormones do drive a certain level of tech savvy. :)
A better work around is to force ALL web traffic through the gateway to
go through the squidguard/dansguardian filter using iptables trickery.
The kids at the terminals can't monkey with that.
iptables -A PREROUTING -p tcp -m tcp ! -d <your IP address scheme>/<your
net mask> -i <your incoming ethx device> --dport 80 -j REDIRECT
--to-port 3128
Do the same thing again for --dport 440 to grab the https traffic and
last but not least
iptables -A INPUT -p tcp -m tcp -i <you incoming ethx device> --sport
3128 -j ACCEPT
to accept packets into the squid proxy. squid will talk to dansguardian
by localhost sockets with are (usually) not blocked.
>
> --scott
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20061004/f3ff85e5/attachment.sig>
More information about the K12OSN
mailing list