Koozali.org formerly Contribs.org

Dansguardian & access to server manager

pietdejong

Dansguardian & access to server manager
« on: August 08, 2004, 10:16:17 AM »
Hi All,

I installed DansGuardian. Filtering works fine.

However because DansGuardian will block port 80, I no longer have access to the server manager.

The problem in the firewall rules is pasted below.
If I remove the last 2 rules ( port 80 ) then i have access again, but then anyone not using port 8080 for proxy will bypass DansGuardian.
I have seen numerous posts regrading DansGuardian, and I find it strange that nobody else has this problem .....

Any help is appreciated
thanks
Piet


 for network in 192.168.1.0/255.255.255.0
    do
        /sbin/iptables -A $NEW_local_chk -s $network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A $NEW_local_chk -d $network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A $NEW_local_chk -s $network -p tcp --destination-port 80 -j DROP
        /sbin/iptables -A $NEW_local_chk -d $network -p tcp --destination-port 80 -j DROP
    done

Offline byte

  • *
  • 2,183
Dansguardian & access to server manager
« Reply #1 on: August 08, 2004, 11:53:35 AM »
Hi,

You should still be able to get access to your server manager by typing...

http://youripnumber:980/e-smith-manager
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline raem

  • *
  • 3,972
Re: Dansguardian & access to server manager
« Reply #2 on: August 08, 2004, 03:31:18 PM »
pietdejong

What custom-template did you put those rules in ?
I would like to add it to my Dansguardian HOWTO.
Thanks
...

pietdejong

Dansguardian & access to server manager
« Reply #3 on: August 10, 2004, 06:56:24 AM »
Byte,
Using your suggestion did not seem to work, I saw the directives in httpd.conf, but it only seems to allow it form localhost.

Dansguardian & access to server manager
« Reply #4 on: August 10, 2004, 09:09:25 AM »
have you tried https?  I had this problem running Dans under PAM AUTH, fixed it...  Its a great program - check dungog.net latest  release, includes antivirus scan using clamav.  chris
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

pietdejong

Dansguardian & access to server manager
« Reply #5 on: August 12, 2004, 09:38:52 AM »
Yes https does work, but it seems like the proxy auto-discover no longer works, since that is still trying to access wpad on port 80 ..

Thanks

Dansguardian & access to server manager
« Reply #6 on: August 12, 2004, 11:45:20 AM »
I am a little out of my depth here, but I think that "when filtering on port 8080 access to 3128 & 80 has been disabled, this is to stop the filter being bypassed, unfortunatly this also disables proxy.pac"  chris
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

pietdejong

Dansguardian & access to server manager
« Reply #7 on: August 31, 2004, 07:47:57 AM »
This seems todo the trick for me:
    for network in $locals
    do
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -d \$network -j ACCEPT
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -j DROP
        #/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 80 -j DROP
    done


I commented out the last line, since I have no idea what it does.
The third line will allow access to server-manager etc.
The fourth line disables transparency, so if someone has not setup their proxy they will not be able to bypas SME server.

Henk

Dansguardian & access to server manager
« Reply #8 on: September 01, 2004, 12:03:18 AM »
where did you change these settings?

I guess you made a custom template of
/etc/rc.d/init.d/masq/90local_chk50networks ?

But I'm not sure if this, and I wonder if you added these lines or deleted the original line between do and drop.

I tried these settings in a custom template, but that didn't work.