[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] old proxy by-pass prob

Bert Rolston wrote:

Hi Ryan,

Aw shucks, just keep an eye out for one site that seems to be getting
extra attention.

There are flaws in the circumventor strategy.

1) It relies on someone in the censored environment with sufficient
ability to install the software on their personal machine outside of the
censored environment. The censored environment may be a home, school, or

2) The circumventor machine has to be uncensored, or the censoring
software has to be disabled.

3) The circumventor machine has to be on a permanent connection, so the
address won't change. This will show up in your proxy logs, once it
does, BLOCK IT!

4) Peacefire suggests only giving this address out to about 10 people.
Why? So the traffic doesn't get too heavy on this 'little server'.
Remember, this is a personal machine machine.

I'm not that clued up on firewall rules, but here are some questions for
the list.

If your firewall is set up to only allow incoming connections from
certain hosts, could the circumventor machine get through?

If you have squidguard / dansguardian running on the firewall/proxy will
the circumventor machine be able to bypass that filtering?

The peacefire site only mentions machines with locally installed
filtering software like Net Nanny.


Incoming connections are irrelevant in this case. The TCP connection is initiated from the inside, so on any stateful packet filter (say, netfilter, pf, or Cisco's PIX) the connection will be allowed. On stateless packet filters (say, ipchains or a Cisco access list), if you allow packets with the ACK bit set to come back in, that's the older way of effectively accomplishing the same thing. Note that you should always block attempted connections coming into the trusted network from the outside.

To stop circumventor, you'd need to block anybody going out directly from a client box on any TCP or UDP port. Yes, I know, this knocks out Web access, which your folks need. So how do we give it to them if the firewall's blocking anything coming directly from a client box?

Here's how. Transparently proxy TCP 80 and TCP 443; do this, and your firewall setup--firewalls include your proxy/ICF server, let's all remember--will always control the connection. This applies to any Web content filtering application that supports transparent proxying, be it DansGuardian, I-Gear (ick!), squidGuard, or whatever. That's how you can block outside servers running circumventor, because it is quite correct that the external circumventor server will need a consistent IP address, which will indeed show up in the logs (you do review your logs, right? :-) ). Also have an internal DNS server in a split-DNS configuration, and configure your firewall such that only the internal DNS server can forward and receive requests to and from the external DNS server. Do this, and you'll stop circumventor...cold.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]