[K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob

Terrell Prude', Jr. microman at cmosnetworks.com
Mon Jun 7 01:45:26 UTC 2004 

k12osn at collinsoft.com wrote:

>On Fri, 4 Jun 2004, Terrell Prude', Jr. wrote:
>  
>
>>k12osn at collinsoft.com wrote:
>>    
>>
>>>Even blocking everything and transparently proxying those two ports won't 
>>>stop someone from running some sort of anonymizing proxy such as 
>>>circumventor.
>>>      
>>>
>>Actually, transparently proxying those two ports will do it very 
>>nicely.  If someone's running an anonymizing proxy, just block that IP 
>>address.  Since, in this scenario, you'd be allowing only TCP 80 and TCP 
>>443 to go out, they *have* to go through your transparent proxy setup 
>>before they can go out.  Thus, you can do whatever you want to their 
>>traffic, and they have no choice.  Discover an anonymizing proxier?  No 
>>problem:  "access-list 199 deny ip any host ano.nym.iz.er".  That's how 
>>we dealt with circumventor, and it does work.
>>    
>>
>
>This still won't stop someone from running an anonymous proxy service that 
>acts as a website. I'm not familiar with circumventor at all, but I have 
>seen software where you surf to the website running on a home machine, it 
>asks for a url, and it sends the page to you, bypassing any filtering you 
>might have done. A good example on how this works would be 
>http://www.anonymizer.com/ (which should be blocked in your filtering 
>software!).
>
>And if they set it up as a secure site, Dans Guardian won't be able to 
>filter the content.
>
>  
>

You're absolutely correct; someone can do all of that. However, it'll 
show up in your logs (you are checking your logs, right? :-) ), and you 
can block that site, either from within 
DansGuardian/squidGuard/whatever, or on your packet filter, the same way 
you block www.anonymizer.com. Not sure if you're about to block a "real" 
Web site? nslookup and whois can be your friends here.

Oh, by the way, as it shows up in the logs, you can coordinate that with 
the source IP address, i. e. the client box, thus narrowing down which 
school, which switch port, therefore which drop in which room, at what 
time, and you have nailed that kid. I've had to do this kind of thing 
many times, and we do run DHCP w/ private IP addresses, and yes, I am 
successful nearly every time. Not that I'm particularly brilliant; it 
just ain't that hard. ;-)

--TP

More information about the K12OSN mailing list