[KLUG Members] Iptables

[Bruce Smith]

> >That's 99.9% of my users!  :-)
> Well, I didn't want to say so.. I've met some of them, and..<cough>...
> 
> >> I don't know of an IM that doesn't work on http, for example. 
> >Talking about internet programs in general (not just IM):
> now now, let's not go spread the scope of this thread.

Shall I rephrase to say: "includes, but is not limited to, IM clients"?

> >I've found those clients which do support a proxy in their config, many
> >don't support an _authenticated_ proxy - those clients won't work.
> Yes, I sorta decided that I waned you to define this.

A proxy that don't work until you authenticate yourself (login) before
you can use it?

> >Squid is configured to only allow "safe ports", other ports won't work.
> Port 80??

and 443 and a few others defined by default in squid.
I've had to add a few others for some weird web sites.
It's completely configurable.

> >It'd be interesting to see if any IM clients could be made to work
> >though my firewall setup.
> Oh... is this a contest? :)

You can try if you like.  I don't have a windoze box handy to try it
myself, and trying with Linux w/gaim/whatever is probably not a good
test since only a couple of my users currently have Linux desktops.

> >> You might be stopping some services, like real-time ICQ chat
> >> and file transfer, but that's probably it. That assumes you're let-
> >> ting the user on the net at all, natch.
> >Yes, I'm talking about users who are authenticated on the proxy server,
> >which is not everyone here.
> Right, and since your organization has less than 500 members, you're 
> first statement here shows we're talking about less than half a person.

I said "users" (plural), _you_ said "user" (singular).

> Isn't that an "authenticating proxy?"

When you start your browser, go to google.com or any remote website, it
pops up a box asking for userid & password.  The box looks just like a
web site that makes you login, except it's squid asking for the login.

In you're in the Unix group that allows Internet access, and you type
your network userid/password, you can proceed to surf the Internet.
Otherwise the login fails, and you're limited to the intranet (local)
web servers.

> You've certainly shown that it may be technially possible to run, it
> is, in practical terms, VERY hard. No one can say you're not dilligent
> in this area.

Please note that I don't really care if valid Internet users can IM.
If my setup also happens to prevent IM, all the better!

My main purpose is to control _who_ can access the Internet, and to keep
a log of _who_ goes where on the Internet.  i.e.  We don't want the 3rd
shift machine tool operators playing on the Internet when they are
suppose to be drilling & tapping big metal things.

So, if a valid Internet user can get IM to work, that's fine with me.
If the supervisor complains that the user is screwing around with IM for
personal use on company time, then the user won't be in the Internet
group much longer.

OTOH, if a user wants to IM and complain that they can't make it work,
we say that we don't support that. (sometimes I say "to bad", or "tough"
or "what company related activity requires it?" - depending on who the
user is :)

If someone ever comes up with a valid company related need for IM, then
I might check into running it through the proxy.  Until then, we don't
support IM!  :-)

 - BS