I am hoping to deploy a general Linux client for a user to access certain permitted sites and check email. Is there a way I can only permit (ie. whitelist) a few sites. The browser of choice will be firefox, I don't think I can do this through firefox but I know there has to be a way. The other option I was think was disabling DNS and manually entering hosts names to the required sites.

The built-in netfilter/iptables firewall can do that, but you need to generate a set of custom rules to do so. That will require you to learn a bit about how to do it, but basically, you restrict outbound traffic and only allow http port 80 traffic to the few selected web sites you approve, and pop (port 110) and smtp (port 25) traffic to the designated mail server(s).

(Edit: for the pedants out there, yes you permit DHCP and DNS traffic as well, and https if any of the web sites use SSL, etc.)

Have you set up firewall rules before?

Another thought: Depending on how many clients there are, whether they all have the same access and whether they're all in the same organisation, it may be easier to achieve this through a gateway rather than on each client.

Yes I am familiar with iptables, I think using iptables to accomplish this would be to much work and maintenance. I would basically need a rule for each allowed site. Actually can iptables use address groups?

Check out squid with the squidguard plugin, it might do what you want......

Why not play with firestarter (GTK-app)


-------------------------------------------------------------------------------------------------
sudo yum info firestarter
Available Packages
Name : firestarter
Arch : i386
Version: 1.0.3
Release: 17.fc8
Size : 391 k
Repo : fedora
Summary: Firewall tool for GNOME
Description:
Firestarter is an easy-to-use, yet powerful, Linux firewall tool for GNOME.
Use it to quickly set up a secure environment using the firewall creation
wizard, or use it's monitoring and administrating features with your old
firewall scripts.
-------------------------------------------------------------------------------------------------

I use FWBuilder to create my IPTables. I have a rule made that reads a list of URLs and generates a rule to block each site. I imagine that I could do the same thing to allow access to only those sites. Upkeep of the rule is simple - change the blocked_list file and restart the firewall.

Why not play with firestarter (GTK-app)
Firestarter is just an alternative front-end for netfilter/iptables + status GUI.