[K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob
Terrell Prude', Jr.
microman at cmosnetworks.com
Fri Jun 4 23:06:16 UTC 2004
k12osn at collinsoft.com wrote:
>>Of course, there certainly are technological ways to stop this, and
>>you'd do that at your Internet firewall. Do your students have any
>>*actual need* to use TCP 20, 21, 22, 23, and 25 to carry forward the
>>educational process? Ask yourself that. TCP 80 and TCP 443, you can
>>transparently proxy those. Combined, this should put a stop to apps
>>like circumventor.
>>
>>
>
>Even blocking everything and transparently proxying those two ports won't
>stop someone from running some sort of anonymizing proxy such as
>circumventor.
>
>But I agree, talk softly but carry a big stick!
>
Actually, transparently proxying those two ports will do it very
nicely. If someone's running an anonymizing proxy, just block that IP
address. Since, in this scenario, you'd be allowing only TCP 80 and TCP
443 to go out, they *have* to go through your transparent proxy setup
before they can go out. Thus, you can do whatever you want to their
traffic, and they have no choice. Discover an anonymizing proxier? No
problem: "access-list 199 deny ip any host ano.nym.iz.er". That's how
we dealt with circumventor, and it does work.
But wait, you may say! They could use TCP 53, the DNS port! Nope, not
if you set up split DNS and tweak your firewall rules, making your
internal one a forwarder. Heh heh...sorry, kiddies.
The only way I can think of to get around this is to have a modem or DSL
line, which 1.) costs money, and 2.) should be verboten in the policy
document anyway.
More information about the K12OSN
mailing list