[K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob

Terrell Prude', Jr. microman at cmosnetworks.com
Fri Jun 4 11:32:34 UTC 2004

k12osn at collinsoft.com wrote:

>On Thu, 3 Jun 2004, Jim Christiansen wrote:
>>The questions that I had about the IPCop/Mozilla proxy being bypassed have 
>>been solved by only allowing proxy traffic through a defined port in 
>>iptables.  If anyone wants to know how I did this, please drop me a line.  
>>Oh, heck...scp /home2/ipcop-252/rc.local.proxy-252 jim at home:
>># ports:
>>#       20,21           ftp
>>#       22              ssh
>>#       25              smtp
>>#       53              dns
>>#       80,443          web
>>#       123             ntpd
>>#       445             https: ipcop
>>#       11371           GNU GPG
>>#       445             IPCop external https connection
>>ALLOW_TCP_OUT="20 21 22 25 53 80 85 113 123 443 445 8800 11371"
>>ALLOW_UDP_OUT="20 21 22 25 53 80 85 123 443 445 8800"
>>for i in $ALLOW_TCP_OUT ; do
>>       /sbin/iptables -A CUSTOMFORWARD -i $GREEN -p tcp --dport $i -j ACCEPT
>Can't they still setup an external proxy on one of these ports and still 
>bypass it? If I was a student I would setup apache in proxy mode on my 
>Road Runner connection (requiring a username/password) and set it to 
>accept connections on various ports that have a good chance of being open, 
>such as 20,21,22,23,25,443. 
>A good site to see what students can do is http://peacefire.org/. It 
>appears they have a program called circumventor which lets the students 
>get around you're filtering even without changing the proxy server. It 
>also uses SSL to encrypt the transmission so you can't even see what's 
>going through. I don't know how to stop this one.

Sure they could; we've had to deal with circumventor for the last couple 
of years in our district.  That's why you need to have a written policy 
in place that says what the penalties are for actions like this, and 
then enforce it.  A big part of INFOSEC anywhere, including in a school, 
is having the written policy, otherwise you have little legal leg on 
which to stand when someone does something inappropriate, be it staff 
member, board member, or student.

Of course, there certainly are technological ways to stop this, and 
you'd do that at your Internet firewall.  Do your students have any 
*actual need* to use TCP 20, 21, 22, 23, and 25 to carry forward the 
educational process?  Ask yourself that.  TCP 80 and TCP 443, you can 
transparently proxy those.  Combined, this should put a stop to apps 
like circumventor.


More information about the K12OSN mailing list