[K12OSN] OT: Limiting to a specific proxy to prevent getting around it
John Lucas
mrjohnlucas at gmail.com
Wed Jan 17 11:37:31 UTC 2007
On Tuesday 16 January 2007 23:23, David Trask wrote:
> Hi all,
>
> I'm probably going to confuse even myself before I'm done. I'm using an
> SME server (based on CentOS) running DansGuardian for content
> filtering/proxing...etc. I'm also running proxy auth. So the way it
> works now....if the user has the proxy server (10.0.0.1 port 8080) set in
> their browser, then they get challenged to log in the moment they try to
> open a browser. They log in and then surf from there....and are filtered
> according to the group that they are a member of (in other words students
> are filtered more harshly than staff....etc). If the browser does not
> have the proxy set, then they are transparently proxied and are filtered
> at the default level (which is pretty harsh in our case to encourage
> logging in). Now my dilemma. I still need to play with this more, but at
> the moment if I enter a different proxy, such as 195.179.62.1 or something
> like that I may have found on the Internet, I can essentially bypass the
> filter. What I want to do is to find a way to ONLY accept either no proxy
> setting (thus transparent) or 10.0.0.1 on port 8080....and nothing else.
> If a kid enters any other proxy in their browser....it simply doesn't go
> or gets dropped. Any ideas?
>
I think this would require a pretty tight firewall policy that would prevent
using "outside" proxies. Blocking (outgoing) TCP ports 8080 and 3128 would go
a long way toward preventing attachment to proxies beyond your perimeter
firewall. An even tighter policy (essentially blocking most outgoing traffic)
might be required to completely prevent such access. Then there are the
tunneling services that work through web proxies to worry about :-}
--
"History doesn't repeat itself; at best it rhymes."
- Mark Twain
| John Lucas MrJohnLucas at gmail.com |
| St. Thomas, VI 00802 http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W AST (UTC-4) |
More information about the K12OSN
mailing list