On Thu, 3 Jun 2004, Jim Christiansen wrote:
The questions that I had about the IPCop/Mozilla proxy being bypassed have been solved by only allowing proxy traffic through a defined port in iptables. If anyone wants to know how I did this, please drop me a line. Oh, heck...scp /home2/ipcop-252/rc.local.proxy-252 jim home:
# 20,21 ftp
# 22 ssh
# 25 smtp
# 53 dns
# 80,443 web
# 123 ntpd
# 445 https: ipcop
# 11371 GNU GPG
# 445 IPCop external https connection
ALLOW_TCP_OUT="20 21 22 25 53 80 85 113 123 443 445 8800 11371" ALLOW_UDP_OUT="20 21 22 25 53 80 85 123 443 445 8800"
for i in $ALLOW_TCP_OUT ; do
/sbin/iptables -A CUSTOMFORWARD -i $GREEN -p tcp --dport $i -j ACCEPT
Can't they still setup an external proxy on one of these ports and still bypass it? If I was a student I would setup apache in proxy mode on my Road Runner connection (requiring a username/password) and set it to accept connections on various ports that have a good chance of being open, such as 20,21,22,23,25,443.
A good site to see what students can do is http://peacefire.org/. It appears they have a program called circumventor which lets the students get around you're filtering even without changing the proxy server. It also uses SSL to encrypt the transmission so you can't even see what's going through. I don't know how to stop this one.