On 4/3/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Mon, Apr 03, 2006 at 11:11:22AM +0530, Niklaus wrote: > > On 4/2/06, Chris Kuethe <[EMAIL PROTECTED]> wrote: > > > On 4/2/06, Niklaus <[EMAIL PROTECTED]> wrote: > > > > > what problem are you really trying to solve? > > > > > > really, what problem are you trying to solve? the fact that you have > > > untrusted users? > > > > > > > I understand the tunnelling through ssh part. > > > > Can you explain what reverse telnet is . I don't get it. > > > > Users here on my system are running proxy servers like socks proxy and > > downloading stuff which is banned on squid proxy. This is a mail and > > devel server, so all of the users have ssh and gcc accounts .They > > compile the proxies they get on sourceforge and i really can't kill > > all the processes because there are too many users. They are just like > > a redirectors. I don't want any user other than root to listen on any > > port. > > I'd be inclined to both say 'let them' and 'filtering is best done at > the firewall' (and yes, that's a separate machine). > > However, telling pf to block all outgoing traffic is enough. > > What you want to do - 'stop listeners', though, would require filtering > the lo0 device as well. That should work, but is likely to be far from > trivial. > > And, as Chris pointed out below, filtering for listeners doesn't really > help. > > Really, the proper solution is to tell pf to block all outgoing traffic, > then whitelist what you need. This shouldn't be too much - you could > whitelist Squid by user, and the rest is likely to be simple (domain, > possibly ssh, possibly imap(s)/pop(s), smtp if you are feeling lucky).
Or you could block all traffic to and from ports > 1024. That would stop any proxies they might run. The ports below 1024 do require to be root to open a listen socket to them. > > > > assume have an http proxy listening on 127.0.0.1 on your machine. > > > assume you've disabled port forwarding in sshd_config so i can't > > > tunnel to my proxy. > > > i then change my proxy program to i connect back to a listener > > > (netcat?) on my remote machine at which point i have a tcp connection > > > through which i can forward my http requests to make them look like > > > they're coming from your box. > > > > > > this sort of trick is easy to whack together... probably 10 or 15 > > > minutes if you're ripping code straight out of "learning perl" without > > > knowing what you're doing. no doubt there's stuff in ports that can be > > > used too. > > > > > > CK > > -- "i think we should rewrite the kernel in java since it has good support for threads." - Ted Unangst
