[K12OSN] old proxy by-pass prob

Terrell Prude', Jr. microman at cmosnetworks.com
Sun Jun 6 21:40:47 UTC 2004

Bert Rolston wrote:

>Hi Ryan,
>Aw shucks, just keep an eye out for one site that seems to be getting
>extra attention.
>There are flaws in the circumventor  strategy. 
>1) It relies on someone in the censored environment with sufficient
>ability to install the software on their personal machine outside of the
>censored environment. The censored environment may be a home, school, or
>2) The circumventor machine has to be uncensored, or the censoring
>software has to be disabled.
>3) The circumventor machine has to be on a permanent connection, so the
>address won't change. This will show up in your proxy logs, once it
>does, BLOCK IT!
>4) Peacefire suggests only giving this address out to about 10 people.
>Why? So the traffic doesn't get too heavy on this 'little server'.
>Remember, this is a personal machine machine. 
>I'm not that clued up on firewall rules, but here are some questions for
>the list.
>If your firewall is set up to only allow incoming connections from
>certain hosts, could the circumventor machine get through?
>If you have squidguard / dansguardian running on the firewall/proxy will
>the circumventor machine be able to bypass that filtering? 
>The peacefire site only mentions machines with locally installed
>filtering software like Net Nanny.

Incoming connections are irrelevant in this case.  The TCP connection is 
initiated from the inside, so on any stateful packet filter (say, 
netfilter, pf, or Cisco's PIX) the connection will be allowed.  On 
stateless packet filters (say, ipchains or a Cisco access list), if you 
allow packets with the ACK bit set to come back in, that's the older way 
of effectively accomplishing the same thing.  Note that you should 
always block attempted connections coming into the trusted network from 
the outside.

To stop circumventor, you'd need to block anybody going out directly 
from a client box on any TCP or UDP port.  Yes, I know, this knocks out 
Web access, which your folks need.  So how do we give it to them if the 
firewall's blocking anything coming directly from a client box? 

Here's how.  Transparently proxy TCP 80 and TCP 443; do this, and your 
firewall setup--firewalls include your proxy/ICF server, let's all 
remember--will always control the connection.  This applies to any Web 
content filtering application that supports transparent proxying, be it 
DansGuardian, I-Gear (ick!), squidGuard, or whatever.  That's how you 
can block outside servers running circumventor, because it is quite 
correct that the external circumventor server will need a consistent IP 
address, which will indeed show up in the logs (you do review your logs, 
right?  :-) ).  Also have an internal DNS server in a split-DNS 
configuration, and configure your firewall such that only the internal 
DNS server can forward and receive requests to and from the external DNS 
server.  Do this, and you'll stop circumventor...cold.


More information about the K12OSN mailing list