Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=458643 --- Comment #18 from Pavel Lisý <pavel.lisy@xxxxxxxxx> 2009-02-23 07:18:51 EDT --- Do you think about making default firewall configuration? Similar settings are made in Ubuntu CE but through firehol package. This is what I use for my children's computers in combination with tinyproxy (running under nobody user on 3128 port): cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables-dansguardian-backup sed \ -e '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/a\ \ # dansguargian settings\ # --- begin\ -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 3128 -m owner ! --uid-owner nobody -j DROP\ # --- end\ ' \ -e '/^\*filter/i\ \ # tinyproxy settings\ # --- begin\ *nat\ :PREROUTING ACCEPT [0:0]\ :POSTROUTING ACCEPT [0:0]\ :OUTPUT ACCEPT [0:0]\ :in_trproxy.1 - [0:0]\ :out_trproxy.1 - [0:0]\ -A PREROUTING -p tcp -m tcp --sport 1000:65535 --dport 80 -j in_trproxy.1\ -A in_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\ -A OUTPUT -p tcp -m tcp --sport 32768:61000 --dport 80 -j out_trproxy.1\ -A out_trproxy.1 -m owner --uid-owner nobody -j RETURN\ -A out_trproxy.1 -m owner --uid-owner root -j RETURN\ -A out_trproxy.1 -d 127.0.0.1 -j RETURN\ -A out_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\ -A OUTPUT -j ACCEPT\ COMMIT\ # --- end\ ' /etc/sysconfig/iptables-dansguardian-backup > /etc/sysconfig/iptables This is useful when you want deny all http traffic outside except defined users (nobody = tinyproxy user, root = yum update, ...) You don't need make proxy setting in browser too. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review