Humor on Computers, Systems and Programming (Part 6)

Misc

"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies and the other is to make it so complicated that there are no obvious deficiencies."
- C A R Hoare, as quoted by Erik de Castro Lopo

"I don't trust a precompiled binary any farther than I can spit a rat."
- Erik Fichtner

"FF1517 packages are for professional drivers only, on a closed course."
- Austin Lesea  in comp.arch.fpga

"The cheapest, fastest and most reliable components of a computer system are those that aren't there."
- Gordon Bell, DEC laboratories, quoted by Jörn Engel

"The real romance is out ahead and yet to come. The computer revolution hasn't started yet. Don't be misled by the enormous flow of money into bad defacto standards for unsophisticated buyers using poor adaptations of incomplete ideas."
- Alan Kay, quoted by Donovan Rebbechi

"It's large amounts of well-organized ignorance that scares me."
- Cody Ann Michaels, quoted by Steve Thompson, Sysadmin, Malcontent

"A society without religion is like a crazed psychopath without a loaded .45"
- David Voth

"See everything; overlook a great deal; correct a little."
- Pope John XXIII

"The Net interprets censorship as damage and routes around it."
- John Gilmore, quoted by Bjørn Borud

"The Web is to graphic design as the fax machine is to literature."
- Decklin Foster

"Modularity is not a hack."
- Dan Bernstein

"Troubleshooting is intrinsically a layering violation."
- Larry Doolittle

"Computers are state machines. Threads are for people who can't program state machines."
- Alan Cox

"Lies, damned lies and FPGA Gate Count."
- Uwe Bonnes

"My favorite programming language is a soldering iron."
- Steve Ciarcia

"Computers are useless; they can only give you answers."
- Pablo Picasso

"An Interface is what gets in between you and what you want to do."
- Carl Havermiste

"Have you ever worked until late at night, put the resulting alpha software in a public location, and then read a bug report and suggested fix from halfway around the world using the bedside laptop the next morning? I have."
- Donald J. Becker  in November, 1993

"Just because the code is intended to cause flaming death is no reason to get sloppy and leave off the casts."
- Tim Smith , regarding sample (F0 0F C7 C8) Pentium Death code on comp.os.linux.advocacy

"Note that if I can get you to 'su and say' something just by asking, you have a very serious security problem on your system and you should look into it."
- Paul Vixie , in the vixie-cron 3.0.1 installation notes

"DES itself is now 'DED'. It is 'kid sister' code. It has 'X'es for eyeballs. It is defunct. It is an ex-protocol."
- Robert Hettinga , in July 20, 1998 letter explaining that it costs $684.93 to break one DES key.

"...very few phenomena can pull someone out of Deep Hack Mode, with two noted exceptions: being struck by lightning, or worse, your *computer* being struck by lightning."
- Matt Welsh

"Well, let's just say, 'if your VCR is still blinking 12:00, you don't want Linux.'"
- Bruce Perens, Debian's Fearless Leader

"The sticker on the side of the box said 'Supported Platforms: Windows 95, Windows NT 4.0, or better', so clearly Linux was a supported platform."
- Nathan Hand

"Would you buy a car with the hood welded shut? Debian/GNU Linux ... the maintainable operating system."
- Tim Thomson

"Right now some people are just running around in circles and claiming that moving things to the kernel automatically makes it more stable. I'm telling you that the kernel is stable not because it's a kernel, but because I refuse to listen to arguments like this."
- Linus Torvalds

"I don't know what you would do for MSDOS other than boot Linux."
- Russ Nelson

"All I'm saying is this: 'Great, you're a new pilot, and you want to fly. Fine. We've got a Cessna 127 here, and an F16. You know, I think you ought to start with the Cessna.'"
- Bryan Pfaffenberger , explaining why he wants companies to create "Linux Lite" products targeted for newcomers

"A human being should be able to change a diaper, plan an invasion, butcher a hog, set a bone, comfort the dying, take orders, give orders, solve equations, pitch manure, program a computer, fight efficiently, die gallantly. Specialization is for insects."
- Lazarus Long, in Time Enough for Love by Robert A. Heinlein

"How do you power off this machine?"
- Linus, when upgrading linux.cs.helsinki.fi, and after using the machine for several months

"Who is General Failure and why is he reading my disc?"

'Hit any user to continue'

Use the force, read the source!

Of course it doesn't work. We've performed a software upgrade.

Artificial Intelligence stands no chance against Natural Stupidity.

[X] <- nail here for new monitor

=============================================================
==== a mail server message just too good to go unnoticed ====
=============================================================

Date: Thu, 19 Sep 2002 14:33:07 +0200
From: Mail Administrator
To: xyz@htw-saarland.de
Subject: Mail System Error - Returned Mail

This Message was undeliverable due to the following reason:

The user(s) account is temporarily over quota.

Please reply to Postmaster@a2000.nl
if you feel this message to be in error.

source : http://www-crypto.htw-saarland.de/weber/misc/programming.html

Humor on Computers, Systems and Programming (Part 5)

Operating Systems

"Unix is user friendly - it's just a bit more choosy about who it's friends are." --Gene Buckle

"The box said 'Requires Windows 95, NT, or better,' so I installed Linux."

Computers are like air conditioners. They stop working when you open Windows.

"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed." --Unix for Dummies, Jon "maddog" Hall

The only thing Micro$oft has done for society, is make people believe that computers are inherently unreliable.

"Where do you want to go today?" -- Microsoft ad campaign
"Where do you want to go tomorrow?" -- Linux enthusiasts

"One cannot delete the Web browser from KDE without losing the ability to manage files on the user's own hard disk." --Prof. Stuart E Madnick, MIT.
So called “expert” witness for Microsoft. 2002/05/02

            __
           / /    __  _  _  _  _ __  __
          / /__  / / / \// //_// \ \/ /           -o)
         /____/ /_/ /_/\/ /___/  /_/\_\           /\\
         is lika a WIGWAM:                       _\_v-
         No gates, no windows, and an Apache inside.

Linux is for networking,
Mac is for working,
Windows is just for solitaire.

source : http://www-crypto.htw-saarland.de/weber/misc/programming.html

Humor on Computers, Systems and Programming (Part 4)

Computers

At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer.            

Hardware: The parts of a computer system that can be kicked. 

"Imagine if every Thursday your shoes exploded if you tied them the usual way.  This happens to us all the time with computers, and nobody thinks of complaining." ---Jeff Raskin, interviewed in Doctor Dobb's Journal   

"There is no reason for any individual to have a computer in their home." ---Ken Olson, President of DEC, World Future Society Convention, 1977     

A bus station is where a bus stops.
A train station is where a train stops.
On my desk, I have a workstation...

Error, no keyboard - press F1 to continue.

source : http://www-crypto.htw-saarland.de/weber/misc/programming.html

Humor on Computers, Systems and Programming (Part 3)

Bugs

Bug : An aspect of a computer program which exists because the programmer was thinking about Jumbo Jacks or stock options when he wrote the program.          

Heisenbug : [from Heisenberg's Uncertainty Principle in quantum physics]
A bug that disappears or alters its behavior when one attempts to probe or isolate it. (This usage is not even particularly fanciful; the use of a debugger sometimes alters a program's operating environment significantly enough that buggy code, such as that which relies on the values of uninitialized memory, behaves quite differently.) Antonym of Bohr bug; see also mandelbug, schroedinbug. In C, nine out of ten heisenbugs result from uninitialized auto variables, fandango on core phenomena (esp. lossage related to corruption of the malloc arena) or errors that smash the stack.

Bohr Bug : [from quantum physics]
A repeatable bug; one that manifests reliably under a possibly unknown but well-defined set of conditions.

Mandel Bug : [from the Mandelbrot set]
A bug whose underlying causes are so complex and obscure as to make its behavior appear chaotic or even non-deterministic. This term implies that the speaker thinks it is a Bohr bug, rather than a heisenbug.

Schroedinbug  [Schroedinger's Cat thought-experiment in quantum physics]
A design or implementation bug in a program that doesn't manifest until someone reading source or using the program in an unusual way notices that it never should have worked, at which point the program promptly stops working for everybody until fixed. Though (like bit rot) this sounds impossible, it happens; some programs have harbored latent schroedinbugs for years.

------
GDB has a 'break' feature; why doesn't it have 'fix' too?
------

source : http://www-crypto.htw-saarland.de/weber/misc/programming.html

Humor on Computers, Systems and Programming (Part 2)

Real Users

Real Users find the one combination of bizarre input values that shuts down the system for days.

Real Users hate Real Programmers.

Real Users know your home telephone number.

Real Users never use the Help key. Programming Languages

"Perl: The only language that looks the same before and after RSA encryption." ---precize@hotmail.com

C makes it easy to shoot yourself in the foot. C++ makes it harder, but when you do, it blows away your whole leg. ---Bjarne Stroustrup

If I hear the phrase ``everything is an object'' once more, I think I will scream.  ---Michael Stonebraker

"The C Programming Language -- A language which combines the flexibility of assembly language with the power of assembly language."

COBOL programs are an exercise in Artificial Inelegance.

A computer without COBOL and FORTRAN is like a piece of chocolate cake without ketchup and mustard.

PASCAL: A programming language named after a man who would turn over in his grave if he knew about it.

The primary purpose of the DATA statement is to give names to constants; instead of referring to pi as 3.141592653589793 at every appearance, the variable PI can be given that value with a DATA statement and used instead of the longer form of the constant. This also simplifies modifying the program, should the value of pi change. ---FORTRAN manual for Xerox Computers

source : http://www-crypto.htw-saarland.de/weber/misc/programming.html

Humor on Computers, Systems and Programming (Part 1)

Real Programmers

Real programmers don't comment their code.  It was hard to write, it should be hard to understand and even harder to modify.

Real Programmers don't document. Documentation is for simpletons who can't read listings or the object code from the dump.

Real programmers don't write in BASIC.  Actually, no programmers write in BASIC after reaching puberty.

Real Programmers don't write in COBOL. COBOL is for COmmon Business-Oriented Laymen who can't run a business, much less write a real program.

Real Programmers don't write in COBOL. COBOL was designed to be read, not run. Unfortunately it is often run anyway.

Real Programmers don't write in APL, unless the whole program can be written on one line.

Real Programmers don't write in LISP. Only idiots' programs contain more parenthesis than actual code.

Real Programmers don't write in PASCAL, BLISS, ADA, or any of those other sissy computer science languages. Strong typing is the crutch for people with weak minds.

Real Programmers don't write in PL/I.  PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Real programmers don't write in FORTRAN.  FORTRAN is for pipe stress freaks and crystallography weenies.  FORTRAN is for wimp engineers who wear white socks.

Real Programmers don't write in RPG. RPG is for gum-chewing dimwits who maintain ancient payroll programs.

Real Programmers don't write applications programs. They program right down on the bare metal. Applications programming is for the dullards who can't do systems programming.

Real Programmers don't write specs. Users should be grateful for whatever they get: they are lucky to get any programs at all.

Real Programmers don't read manuals. Reliance on a reference manual is the hallmark of the novice and the coward.

Real Programmers don't believe in schedules. Planners make up schedules. Managers "firm up" schedules. Frightened coders strive to meet schedules. Real Programmers ignore schedules.

Real Programmers consider "what you see is what you get" to be just as bad a concept in text editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated, cryptic, powerful, unforgiving, dangerous.c

source : http://www-crypto.htw-saarland.de/weber/misc/programming.html

If Programming Languages Were Cars...

This is an update to an old series of jokes about computer languages being like cars. I've added some more modern languages to the list. Any suggestions are welcome!

Note: It seems that Digg/Reddit/StumbleUpon have dug/read/stumbled upon this page, with the result that I've received a ton of new suggestions. This is just an illustration of Vanier's Law: "Given enough time, any programming-related rant, no matter how inane, will eventually be posted on Reddit/Digg/StumbleUpon etc." Thanks to all who sent me their suggestions; I've sifted through them and added the ones I liked to the page. I've also added some suggestions from the comments page on digg.com below, without permission; if you are the author and object, I'll be happy to remove it. If I didn't post your suggestion, please realize that it's not personal; it's only because I'm an asshole with no sense of humor.

Also, some people speculated on my own preference in languages. I'm a functional programming weenie (some would even say a smug one), so my preferences run roughly like this: Haskell > Ocaml > Scheme/Lisp > Erlang > Python/Ruby > C. There are other languages I like (e.g. Prolog and Smalltalk), but I don't work with them to any significant degree. And there are languages I hate, which I won't talk about here in the interests of avoiding pointless flame wars (by which I mean people sending me emails telling me "YOU SUCK!"). Also, TCL fans: thanks for the suggestions, but I didn't find one that seemed funny enough and/or apt enough to include, so keep trying.

---

The list

• Ada   is a tank. A butt-ugly tank that never breaks down. People laugh uncontrollably if you tell them you drive Ada, but really, do you want to be driving a sports car in a war zone? [from Amit Dubey]
• Assembly Language   is a bare engine; you have to build the car yourself and manually supply it with gas while it's running, but if you're careful it can go like a bat out of hell.

[From "Subterfug" off digg.com:]
Assembly Language:   you are the car.

• Basic   is a simple car useful for short drives to the local shops. Once popular with learner drivers, it has recently been stripped down to a shell and rebuilt by a major manufacturer, The new version has been refurbished for longer journeys, leaving only cosmetic similarities to the original model. [from Przemyslaw Wrzos]
• C   is a racing car that goes incredibly fast but breaks down every fifty miles.
• Cobol   is reputed to be a car, but no self-respecting driver will ever admit having driven one.
• C#   is a competing model of family station wagons. Once you use this, you're never allowed to use the competitors' products again.
• C++   is a souped-up version of the C racing car with dozens of extra features that only breaks down every 250 miles, but when it does, nobody can figure out what went wrong.
• Eiffel   is a car that includes a built-in driving instructor with a French accent. He will help you quickly identify and learn from your mistakes, but don't you dare argue with him or he'll insult you and throw you out of the car. [From Daniel Prager with some embellishments]
• Erlang   is a fleet of cars that all cooperate to get you where you want to go. It takes practice to be able to drive with one foot in each of several cars, but once you learn how you can drive over terrain that would be very hard to navigate any other way. In addition, because you're using so many cars, it doesn't matter if a few of them break down.
• Forth   is a car you build yourself from a kit. Your car doesn't have to look or behave like anyone else's car. However, a Forth car will only go backwards.

[By "256byteram", on a comment on Digg.com (I couldn't resist):]
FORTH LOVE IF HONK THEN !

• Fortran   is a pretty primitive car; it'll go very quickly as long as you are only going along roads that are perfectly straight. It is believed that learning to drive a Fortran car makes it impossible to learn to drive any other model.
• Java   is a family station wagon. It's easy to drive, it's not too fast, and you can't hurt yourself.
• Haskell   is an incredibly elegantly-designed and beautiful car, which is rumored to be able to drive over extremely strange terrain. The one time you tried to drive it, it didn't actually drive along the road; instead, it made copies of itself and the road, with each successive copy of the road having the car a little further along. It's supposed to be possible to drive it in a more conventional way, but you don't know enough math to figure out how.

[Monadic version:]
Haskell   is not really a car; it's an abstract machine in which you give a detailed description of what the process of driving would be like if you were to do it. You have to put the abstract machine inside another (concrete) machine in order to actually do any driving. You're not supposed to ask how the concrete machine works. There is also a way to take multiple abstract machines and make a single abstract machine, which you can then give to the concrete machine to make multiple trips one after another.

• Lisp   looks like a car, but with enough tweaking you can turn it into a pretty effective airplane or submarine.

[from Paul Tanimoto:]
Lisp:   At first it doesn't seem to be a car at all, but now and then you spot a few people driving it around. After a point you decide to learn more about it and you realize it's actually a car that can make more cars. You tell your friends, but they all laugh and say these cars look way too weird. You still keep one in your garage, hoping one day they will take over the streets.

• Mathematica   is a well-designed car that borrowed a lot from the Lisp car without giving it nearly the credit it deserved. It can solve equations to determine the most efficient way to get to the destination, but it costs a fortune
• Matlab   is a car designed for novice drivers going on short trips over terrain similar to the terrain the Mathematica car is usually driven over. It is very comfortable when driving over this terrain, but if you go off the trail even a little the car becomes so hard to drive that more snobby drivers refuse to even acknowledge that it's a car.
• Ocaml   is a very sexy European car. It's not quite as fast as C, but it never breaks down, so you end up going further in less time. However, because it's French, none of the controls are in the usual places.
• Perl   is supposed to be a pretty cool car, but the driver's manual is incomprehensible. Also, even if you can figure out how to drive a Perl car, you won't be able to drive anyone else's.
• PHP   is the Oscar Mayer Wienermobile, it's bizarre and hard to handle but everybody still wants to drive it. [from "CosmicJustice" off of digg.com]
• Prolog   is fully automatic: you tell it what your destination looks like, and it does all the driving for you. [Addendum from Paul Graham:] However, the effort required to specify most destinations is equivalent to the effort of driving there.

[I forget who suggested this one:]
Prolog   is a car with a unique trial-and-error GPS system. It will go down the road looking for your destination, and if it gets to the end of the street without finding it, it will back up and try the next street over and continue until you get where you need to go.

• Python   is a great beginner's car; you can drive it without a license. Unless you want to drive really fast or on really treacherous terrain, you may never need another car.
• Ruby   is a car that was formed when the Perl, Python and Smalltalk cars were involved in a three-way collision. A Japanese mechanic found the pieces and put together a car which many drivers think is better than the sum of the parts. Other drivers, however, grumble that a lot of the controls of the Ruby car have been duplicated or triplicated, with some of the duplicate controls doing slightly different things in odd circumstances, making the car harder to drive than it ought to be. A redesign is rumored to be in the works.
• Smalltalk   is a small car originally designed for people who were just learning to drive, but it was designed so well that even experienced drivers enjoy riding in it. It doesn't drive very fast, but you can take apart any part of it and change it to make it more like what you wanted it to be. One oddity is that you don't actually drive it; you send it a message asking it to go somewhere and it either does or tells you that it didn't understand what you were asking.
• Visual Basic   is a car that drives you. [from "yivkX360" on digg.com, no doubt channeling Yakov Smirnov]

source : http://www.cs.caltech.edu/~mvanier/hacking/rants/cars.html

Cisco PIX Firewall : Lock It Down In 10 Steps

by David Davis, CCIE, MCSE
Version 1.0
March 2, 2005

---

You may be thinking, “Shouldn’t a firewall be locked down by default?” Well, to some degree this is true, but not completely. Here are 10 steps to ensure your PIX Firewall is as secure as it can be.

1.   Password protect it – By default, the Cisco PIX has no password on the console. If you configure Telnet access to the PIX, the default password is "cisco." You should set a strong password for both the console and the Telnet interface. Make sure you choose a complex password (containing uppercase and lowercase letters, numbers, and special characters).

2.   Know your access-lists – Having a firewall is all about permitting the “good” traffic through the firewall and denying the “bad” traffic from reaching the internal network. Access-lists are preferred over the conduit methods that were used in the past. However, one syntax mistake in an access-list and all the bad traffic can come in. As a firewall administrator, you need to know and understand every element in the access-lists on each Cisco PIX Firewall you manage.

3.   Log denials and errors – So that you have a record of what traffic is being blocked by your firewall, you should log denials, attempted intrusions, and errors. This logging should go to a syslog server so that it can be archived and stored off of the PIX. For more information on sending PIX logging to syslog, see this link. Also, you should enable Network Time Protocol (NTP) on the PIX so that the clock is always current, which will ensure that the timestamp/datestamp on your log entries is also correct.

4.   Use SSH in place of Telnet – With Telnet, the username and password used to log in are sent in clear-text (unencrypted). Thus, with Telnet, the password used to log in to the PIX can be sniffed over the network. You should use SSH instead of Telnet so that the password (and all other commands) are encrypted. Here's a link on using SSH for remote system management. Another option is to set up the PIX as a VPN server, use VPN to connect to the PIX (forming an encrypted tunnel), and then use Telnet to connect through the tunnel.

5.   Understand the ASA – At the heart of the PIX Firewall is the Adaptive Security Algorithm (ASA). As a firewall administrator, you must understand the methodology of how the ASA works. Without this knowledge, you could mistakenly allow full access to your private network or disable access to critical business applications. For more information about the ASA, check out this Cisco link.

6.   Enable optional security features – A Cisco PIX Firewall has a long list of optional features to make your network more secure. These features include Unicast Reverse Path Forwarding, MailGuard, FloodGuard, FragGuard, and URL Filtering. You can read more about them here.

7.   Keep the PIX OS and PDM patched – As with any operating system or application, there will always be new vulnerabilities found in the PIX Firewall, even though it is essentially an appliance. On a PIX Firewall, there are usually two separate binaries to keep updated. The PIX OS is the first one. The file for the PIX OS is named something like pix634.bin. The optional piece is the PIX Device Manager (PDM), and it must be upgraded separately. Its file is named something like pdm-302.bin. Cisco PIX OS software is available to registered CCO users at this link.

8.   Back up your configuration – Once you make all your configurations to the PIX, you need to back it up in a secure place off of the PIX. This is a precaution in case the PIX has a hardware failure. To do this, use the tftp-server command to tell the PIX which TFTP server that the backup file will be stored on. Then use the write net command to store the configuration on the TFTP server. You can set up a simple TFTP server on a Windows or Linux/UNIX system, or you can use Cisco's TFTP software. This link can help.

9.   Use secure encryption – You can purchase different models of PIX Firewalls. Some come with no encryption, some have 56-bit DES encryption, and some have 3DES/AES encryption. However, no matter which model you bought, I recommend that you upgrade to the highest level of encryption possible. If you have no encryption, you can get a free license for DES 56-bit encryption from this link. You can upgrade to 3DES/AES encryption by contacting a Cisco reseller. If your PIX came with 3DES/AES encryption, you still have to register it to use it. You can also register it here. To see what encryption you currently have enabled, do a show version on your PIX.

10. Know your network – You should baseline your network so that you know what a “normal” traffic load looks like. By determining what's normal and monitoring your network, you will know what is abnormal. A good tool for baselining and monitoring is PRTG. PRTG works via SNMP and can monitor and graph the traffic flowing through a Cisco PIX. Here is a TechRepublic article on PRTG. Here is a Cisco help document on SNMP configuration with Cisco PIX.

David Davis manages a group of systems/network administrators for a privately owned retail company. He also does networking/systems consulting on a part-time basis. His certifications include: IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin (SCSA), Certified Information Systems Security Professional (CISSP), Cisco CCNA, CCDA, and CCNP. He is also Cisco CCIE #9369.

Additional resourcesx

•         Sign up for the Cisco Routers and Switches newsletter, delivered on Wednesdays

•         See all of TechRepublic's newsletter offerings

•         Cisco documentation on configuring a Cisco PIX Firewall (Cisco Systems)

•         "Configure a Cisco PIX firewall and select a topology" (TechRepublic)

•         "Monitor a PIX firewall with a syslog server" (TechProGuild)

•         "Decipher the Cisco PIX log files" (TechProGuild)

Seting-Up a HTTP Proxy Server with Authentication and Filtering

A proxy server can allow computers to make indirect connections to other network services through the machine running the proxy. The most stable and commonly available proxy server for Linux is Squid: a proxy caching server for HTTP/FTP requests. Squid caches data from the Internet on your local network so the next time the same data is being accessed, whether it�s a web page or image file, it gets served-up from the local server rather than over the Internet. This will save you significant bandwidth but can also provide a few other advantages. For example, if you're at school and certain websites you'd like to visit are blocked, you can use your proxy server to access them. Also, another common use of Squid is for setting-up web filtering for kids. Whenever the browser is used, you will be prompted to enter a username and password, based on which the proxy will determine whether to filter the request or not.

Let's start by installing Squid. On Debian-based systems (Ubuntu), type the following command in a terminal (press Alt+F2, type gnome-terminal and press enter):
$ sudo apt-get install squid

On systems running Fedora, type:
$ sudo yum install squid

Configure Squid by opening /etc/squid/squid.conf using your favorite text editor. In the configuration file, search for the following directives and modify (or add, if they don't exist) as it follows:

http_port 3128 - The port Squid will listen for connections. If your system has two or more interfaces, you can specify which IP address to use. Eg: http_port 192.168.0.1:3128

http_access deny all - Search for it in the config file, uncomment it (remove the # in front), and replace deny with allow so it becomes http_access allow all.

Restart the Squid proxy with:
$ sudo /etc/init.d/squid restart

Now you should have a fully functional HTTP proxy. To try it out, open a browser, open its preferences dialog and go to proxy settings. Here, enter the IP address of the machine running Squid and the port set in squid.conf. Now load a webpage.

Setting Up Squid Authentication And Web Filtering

This section will allow you to set up a web site filter for kids. The first time an address is entered in the browser's address bar, an authentication dialog will pop-up, prompting for a username and password. We will set-up two usernames, one with full and another with restricted access.

First, open the /etc/squid/squid.conf and add the following line in the auth_param section:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

Now create the user accounts using htpasswd (use -c only for the first user):
$ sudo htpasswd -c /etc/squid/passwd dad
Enter a password for user 'dad':
Again:

$ sudo htpasswd /etc/squid/passwd kid
Another password:
Again:

Create the ACLs by adding the following lines in the ACCESS CONTROLS (acl) sections in Squid.conf:
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist

Create the whitelist by opening a text editor, adding allowed domains like this:
.google.com
.kids-play.com
.yahoo.com
.msn.com

and save it as /etc/squid/whitelist.

Finally, search for http_access allow all in the Squid config file and modify it so it looks like this:

http_access deny all

This is how my Squid config sections look like:
# NETWORK OPTIONS
# Squid normally listens to port 3128
http_port 192.168.0.1:3128

# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist

# TAG: http_access
# And finally deny all other access to this proxy
http_access deny all

Use deny all for squid with authentication and allow all for basic squid configuration.

source : http://news.softpedia.com/news/Seting-Up-a-HTTP-Proxy-Server-with-Authentication-and-Filtering-52467.shtml

Building Bridges With Linux

As of writing this I've been running a bridging Linux box for almost two years. I started with 2.5.somewhat, when 2.5 became pretty usable (somewhen in summer 2003), and switched to 2.6 after the release.

I used a bridge to bind WLan and internal Ethernet together, with having the ability to filter on the bridge using iptables. While you can filter layer 2 stuff with ebtables under kernel 2.4 already high-level filtering on bridges with iptables is a 2.6-feature. Almost all Linux-based access points out there use a simple bridge, but since most run kernel 2.4 you can't try that much stuff.

The setup I assume here is pretty simple: eth0 is the internal interface, eth1 the interface with a WLan behind. Those two interfaces are meant to form a bridge. We have one more interface for Internet connection which we consequently ignore here.

Setting up the bridge

Setting up a bridge is pretty much straightforward. At first you create a new bridge, and then continue with adding as many interfaces to it as you want:

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ifconfig br0 netmask 255.255.255.0 192.168.32.1 up

The name br0 is just a suggestion, following the loose conventions for interface names -- identifier followed by a number. However, you're free to choose anything you like. You can name your bridge pink_burning_elephant if you like to. I just don't know if you remember in 5 years why you're having iptables for a burning elephant.

Setting up iptables

After the step above you're having a single interface to use. Problem there -- you'd like some paranoid filtering on everything that comes from the WLan. ebtables aren't of much help here -- you could create filters based on MAC addresses, but that's barely what you want to do. So we'll use iptables. But wait, a rule for br0 will match no matter where the packet came from! The solution is simple -- physdev-matching, a new feature of the 2.6 kernel series (you need recent iptables userland, of course). The sample iptables listing should explain how to use it.

Let's assume that people from the WLan are allowed to use full Internet (so no filtering there), but can only do ssh (port 22), smtp (port 25) and http (port 80) into our internal lan. They are not meant to use IRC (port 6667) anywhere, and we'd like to have SMTP connections redirected to our SMTP server. Of course they are not meant to notice the restriction, therefore we build the bridge and filter on the bridge. The iptables rules might look like tho following:

# log everything which comes in from the WLan. remember, we're paranoid :)
iptables -A INPUT -p udp -m physdev --physdev-in eth1 -j LOG
iptables -A INPUT -p tcp -m physdev --physdev-in eth1 -j LOG
iptables -A INPUT -p icmp -m physdev --physdev-in eth1 -j LOG

# allow ssh, smtp and http on the router _itself_ (INPUT!)
iptables -A INPUT -p tcp --dport 22 -m physdev --physdev-in eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m physdev --physdev-in eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 -j ACCEPT

# reject all other connections to the router
iptables -A INPUT -p tcp --syn -m physdev --physdev-in eth1 -J REJECT

# allow the some on the FORWARD chain
iptables -A FORWARD -p tcp --dport 22 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT

# reject irc to anywhere
iptables -A FORWARD -p tcp --dport 6667 -m physdev --physdev-in eth1 -j REJECT

# reject all other connections to the internal lan
iptables -A FORWARD -p tcp --syn -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT

This short introduction should give you a good start for playing with bridging on kernel 2.6. Comments about this text are appreciated, of course. You can make some port-scanners (like nmap) going crazy by not accepting things with stupid errors -- i.e. --reject-with icmp-proto-unreachable or --reject-with icmp-host-prohibited.

source : http://bwachter.lart.info/linux/bridges.html