[K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob

Terrell Prude', Jr. microman at cmosnetworks.com
Fri Jun 4 23:06:16 UTC 2004

k12osn at collinsoft.com wrote:

>>Of course, there certainly are technological ways to stop this, and 
>>you'd do that at your Internet firewall.  Do your students have any 
>>*actual need* to use TCP 20, 21, 22, 23, and 25 to carry forward the 
>>educational process?  Ask yourself that.  TCP 80 and TCP 443, you can 
>>transparently proxy those.  Combined, this should put a stop to apps 
>>like circumventor.
>Even blocking everything and transparently proxying those two ports won't 
>stop someone from running some sort of anonymizing proxy such as 
>But I agree, talk softly but carry a big stick!

Actually, transparently proxying those two ports will do it very 
nicely.  If someone's running an anonymizing proxy, just block that IP 
address.  Since, in this scenario, you'd be allowing only TCP 80 and TCP 
443 to go out, they *have* to go through your transparent proxy setup 
before they can go out.  Thus, you can do whatever you want to their 
traffic, and they have no choice.  Discover an anonymizing proxier?  No 
problem:  "access-list 199 deny ip any host ano.nym.iz.er".  That's how 
we dealt with circumventor, and it does work.

But wait, you may say!  They could use TCP 53, the DNS port!  Nope, not 
if you set up split DNS and tweak your firewall rules, making your 
internal one a forwarder.  Heh heh...sorry, kiddies.

The only way I can think of to get around this is to have a modem or DSL 
line, which 1.) costs money, and 2.) should be verboten in the policy 
document anyway.

More information about the K12OSN mailing list