[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob



k12osn collinsoft com wrote:

Of course, there certainly are technological ways to stop this, and you'd do that at your Internet firewall. Do your students have any *actual need* to use TCP 20, 21, 22, 23, and 25 to carry forward the educational process? Ask yourself that. TCP 80 and TCP 443, you can transparently proxy those. Combined, this should put a stop to apps like circumventor.



Even blocking everything and transparently proxying those two ports won't stop someone from running some sort of anonymizing proxy such as circumventor.


But I agree, talk softly but carry a big stick!


Actually, transparently proxying those two ports will do it very nicely. If someone's running an anonymizing proxy, just block that IP address. Since, in this scenario, you'd be allowing only TCP 80 and TCP 443 to go out, they *have* to go through your transparent proxy setup before they can go out. Thus, you can do whatever you want to their traffic, and they have no choice. Discover an anonymizing proxier? No problem: "access-list 199 deny ip any host ano.nym.iz.er". That's how we dealt with circumventor, and it does work.


But wait, you may say! They could use TCP 53, the DNS port! Nope, not if you set up split DNS and tweak your firewall rules, making your internal one a forwarder. Heh heh...sorry, kiddies.

The only way I can think of to get around this is to have a modem or DSL line, which 1.) costs money, and 2.) should be verboten in the policy document anyway.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]