dansguardian + firewall issues

Brett Rasmussen brett.rasmussen at twoedge.com
Sat Apr 24 15:08:37 MDT 2010


Pluggers,
I'm wondering if someone can help me understand what I need to do here. I'm
not very savvy about firewall rules at all, so the Jack & Jill version of
any direction you might offer would be appreciated.

I'm setting up a fairly standard DansGuardian arrangement, with DG listening
on 8080 and Squid on 3128.  It's a single-machine setup wherein we'll be
browsing from the same box that DG and Squid are on.  I've been following
this tutorial:

http://www.howtoforge.com/squid-proxy-server-on-ubuntu-9.04-server-with-dansguardian-clamav-and-wpad-proxy-auto-detection

I'm on kubuntu 9.10 and am trying to use ufw for the firewall as described.

I'm at the point where DG and Squid are both working fine--I can set my
browser's proxy settings to use 8080 and (turn off my images to be sure and)
type in a naughty url and see the DG "access denied" page.

But I can't seem to get the firewall set up so that it allows a local
browser to connect to 8080 but not 80 such that they could bypass the filter
altogether.  I've tried the ufw rules as suggested in the tutorial:

sudo ufw default DENY
sudo ufw ALLOW 8080
sudo ufw enable

But as I understand it, that prevents only *incoming* requests on the
non-8080 ports.  You can still go *out* on 80 as usual.  I've tried this in
addition to the above:

ufw deny out 80

But that blocked everything including the filtered traffic, I'm assuming
because squid needs to go out on 80 an no longer can.  I thought of
port-forwarding outbound 80 to 8080, but it seems like that would just make
a loop: web-browser to 80, 80 to DG on 8080, DG to squid, squid attempts
outbound on 80, start all over again.

Another issue of the same sort is squid listening on 3128: if DG needs to
talk to squid on 3128, I don't think I can go around blocking 3128 to local
requests, but if I don't, what's to keep a browser from using squid as its
proxy and bypassing DG altogether?  I realize the above lines from the
tutorial are aimed at doing that, but since they deny ALL non-8080 incoming
requests, why would DG be allowed to talk to 3128 when a browser couldn't?
Okay, I just checked this last one, and something seems weird: even with the
"default deny", I can go straight to 3128 as my browser proxy, and it lets
me through just fine.  I also tried the explicit "ufw deny 3128" as
mentioned in the tutorial, and I can still go through 3128 as the browser
proxy.

These questions of mine may well reveal my ignorance of firewalls, and there
may well be something obvious I'm just not clued in to. Can someone help me
understand what's going on and what I need to do?

Thanks,
Brett


More information about the PLUG mailing list