[K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob

[k12osn at collinsoft.com]

On Thu, 3 Jun 2004, Jim Christiansen wrote:
> The questions that I had about the IPCop/Mozilla proxy being bypassed have 
> been solved by only allowing proxy traffic through a defined port in 
> iptables.  If anyone wants to know how I did this, please drop me a line.  
> Oh, heck...scp /home2/ipcop-252/rc.local.proxy-252 jim at home:
> # ports:
> #       20,21           ftp
> #       22              ssh
> #       25              smtp
> #       53              dns
> #       80,443          web
> #       123             ntpd
> #       445             https: ipcop
> #       11371           GNU GPG
> #       445             IPCop external https connection
> 
> ALLOW_TCP_OUT="20 21 22 25 53 80 85 113 123 443 445 8800 11371"
> ALLOW_UDP_OUT="20 21 22 25 53 80 85 123 443 445 8800"
> 
> for i in $ALLOW_TCP_OUT ; do
>        /sbin/iptables -A CUSTOMFORWARD -i $GREEN -p tcp --dport $i -j ACCEPT
> done

Can't they still setup an external proxy on one of these ports and still 
bypass it? If I was a student I would setup apache in proxy mode on my 
Road Runner connection (requiring a username/password) and set it to 
accept connections on various ports that have a good chance of being open, 
such as 20,21,22,23,25,443. 

A good site to see what students can do is http://peacefire.org/. It 
appears they have a program called circumventor which lets the students 
get around you're filtering even without changing the proxy server. It 
also uses SSL to encrypt the transmission so you can't even see what's 
going through. I don't know how to stop this one.

-- 
Ryan Collins
Technology Coordinator
http://www.kentoncityschools.org/