[K12OSN] old proxy by-pass prob
Terrell Prude', Jr.
microman at cmosnetworks.com
Sun Jun 6 21:40:47 UTC 2004
Bert Rolston wrote:
>Hi Ryan,
>
>Aw shucks, just keep an eye out for one site that seems to be getting
>extra attention.
>
>There are flaws in the circumventor strategy.
>
>1) It relies on someone in the censored environment with sufficient
>ability to install the software on their personal machine outside of the
>censored environment. The censored environment may be a home, school, or
>country.
>
>2) The circumventor machine has to be uncensored, or the censoring
>software has to be disabled.
>
>3) The circumventor machine has to be on a permanent connection, so the
>address won't change. This will show up in your proxy logs, once it
>does, BLOCK IT!
>
>4) Peacefire suggests only giving this address out to about 10 people.
>Why? So the traffic doesn't get too heavy on this 'little server'.
>Remember, this is a personal machine machine.
>
>I'm not that clued up on firewall rules, but here are some questions for
>the list.
>
>If your firewall is set up to only allow incoming connections from
>certain hosts, could the circumventor machine get through?
>
>If you have squidguard / dansguardian running on the firewall/proxy will
>the circumventor machine be able to bypass that filtering?
>
>The peacefire site only mentions machines with locally installed
>filtering software like Net Nanny.
>
>Cheers,
>Bert
>
>
Incoming connections are irrelevant in this case. The TCP connection is
initiated from the inside, so on any stateful packet filter (say,
netfilter, pf, or Cisco's PIX) the connection will be allowed. On
stateless packet filters (say, ipchains or a Cisco access list), if you
allow packets with the ACK bit set to come back in, that's the older way
of effectively accomplishing the same thing. Note that you should
always block attempted connections coming into the trusted network from
the outside.
To stop circumventor, you'd need to block anybody going out directly
from a client box on any TCP or UDP port. Yes, I know, this knocks out
Web access, which your folks need. So how do we give it to them if the
firewall's blocking anything coming directly from a client box?
Here's how. Transparently proxy TCP 80 and TCP 443; do this, and your
firewall setup--firewalls include your proxy/ICF server, let's all
remember--will always control the connection. This applies to any Web
content filtering application that supports transparent proxying, be it
DansGuardian, I-Gear (ick!), squidGuard, or whatever. That's how you
can block outside servers running circumventor, because it is quite
correct that the external circumventor server will need a consistent IP
address, which will indeed show up in the logs (you do review your logs,
right? :-) ). Also have an internal DNS server in a split-DNS
configuration, and configure your firewall such that only the internal
DNS server can forward and receive requests to and from the external DNS
server. Do this, and you'll stop circumventor...cold.
--TP
More information about the K12OSN
mailing list