[PLUG] Controlling resolv.conf...

Smith, Cathy Cathy.Smith at pnnl.gov
Tue Mar 12 18:33:13 UTC 2019 

You can use the chattri command to make the file unchangeable to 


Cathy
-- 
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the 
U.S. Department of Energy

Phone: 509.375.2687
Fax:       509.375.4399
Email: cathy.smith at pnnl.gov

-----Original Message-----
From: plug-bounces at pdxlinux.org <plug-bounces at pdxlinux.org> On Behalf Of Tyrell Jentink
Sent: Tuesday, March 12, 2019 10:37 AM
To: Portland Linux/Unix Group <plug at pdxlinux.org>
Subject: Re: [PLUG] Controlling resolv.conf...

On Mon, Mar 11, 2019, 13:44 <michael at robinson-west.com> wrote:

I have Spectrum cable where the ethernet connection to the modem receives a dynamic ip address from Spectrum along with wrong name servers.

This is correct for resolv.conf:
search roch.robinson-west.com
nameserver 127.0.0.1

resolv.conf get's overwritten though by the modem...


No, not "by the modem," but rather "From the modem," or more specifically, "From the DHCP server in the modem."

The distinction is that your machine does not and should not let any device untrusted by you to access your machine, especially not the modem.

So, instead, Network Manager (Or, more specifically, DHCPd) is asking the DHCP server for it's host configuration, and it's using it.

To be clear, Spectrum isn't "Forcing" these settings on you, your machine is asking for them. This, however, is not what you intended for it to do.

I'm on a Debian Linux system. I need to ignore the nameserver settings from Spectrum and the Spectrum search line.
Something called resolvconf will allow me to do this???


I don't know about resolvconf, and have never used it before...

When I want a client host to use DHCP to get an IP addresses but NOT DNS or any other settings,  I configure NetworkManager to "Use DHCP Address Only."

Details on that method and two other approaches are available here:
https://askubuntu.com/questions/623940/network-manager-how-to-stop-nm-updating-etc-resolv-conf

Another thing I'm wondering about is what the proper firewall settings are to allow clients on my RFC 1918 network to use the proxy on my server. I'm also wondering about the legality of sslbump and what people who have deployed this can tell me about enabling https support in squid?


You are overthinking this... There is no legal problem with you doing anything you want to any packet inside your network... It's your network...
You can do anything you want...

You can even use Penetration Testing software to "Hack" your own network...
That's what "Penetration Testers" and "Ethical Hackers" do. Sometimes, big companies even pay people to try and hack their Network. Network security is big money. It's only illegal if you trespass, or if you steal something, or you go somewhere you aren't supposed to...

The internet is like the real world... Don't do things that are illegal in the real world, and you will be OK.

For example... It's probably legal to open your wife or daughter's mail...
It's probably not mail fraud or anything, I mean, you are living at the address on the label, and you are probably legal proxy enough to avoid trouble... Mail Fraud doesn't even apply to the internet, so opening your family's internet packets is doubly legal.


What you are trying to achieve is a "Transparent Proxy;" The "proper" way of doing it is to NOT do a Transparent Proxy, and instead configure each client to use the proxy as appropriate; Maybe block un-proxied access to the WAN at the firewall, but DON'T do a outbound port redirect to the proxy. The reason this is is correct is that you, as system admin, really have no business breaking SSL... Even for your family. It's kinda like reading your daughter's diary... It's not that it's illegal, one may even be able to justify it to themselves... But it's kinda just not very polite.

Theoretically, I could have a list of https sites that are allowed and disallow all others and not have a legal problem.


Again, you don't have a "Legal" problem at all... Just an ethical one.

But your wrong about how one whitelists and blacklists at the firewall: You can't do it by URL, you have to do it by IP address... Some Enterprise Layer 7 firewalls try to emulate that effect by tracking sessions by IP, Port, and DNS Lookup, but it's not available on Linux or FreeBSD firewalls, and it's far from foolproof... Let's postulate that two popular domains are both hosted by AWS, and have the same IP... How would the firewall track both sessions? Thus why only Enterprise routers have the feature...

With google pushing web sites
to go https, it's not just banks and credit unions using it anymore. Even google search is https. Uge!


This isn't Google being evil... This is Google telling web admins that protecting their customers privacy is not optional, and isn't acceptable...
This is a GOOD thing, and to advocate for poor security merely because you want to control what your family can and can't see on the internet is...
Well, confusing.

This is a nightmare for anyone who wants their Internet connection content filtered. Content filtering by it's very nature requires a man in the middle. The https protocol is supposed to guarantee that there isn't a man in the middle. Some countries evidently will prosecute you if you filter https connections. If I'm a business owner or a home owner running a network at home, what am I supposed to do?


If your a small business, and you want to monitor and control your employees, you could start by hiring trustworthy employees, and then statically configure their browsers to use the proxy, and block WAN access at the firewall.

If your a home network administrator... You could try trusting your family... Trust begets trust...

Or, you can be the Man in the Middle... If that causes you ethical concerns, maybe you should think twice about your goals.
_______________________________________________
PLUG mailing list
PLUG at pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list