On 4/25/07, Allen Theobald <[EMAIL PROTECTED]> wrote:
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing dansguardian
by changing their browser to point to 3128?
By blocking all outbound ports, and redirecting those they need to the
firewall itself. Ie. run a DNS server on the firewall so they can
resolve (alternatively only pass traffic to your ISP's DNS), use port
forwarding to redirect all www traffic to your filter etc...
Don't leave any port unblocked is the only way. I remember I was once
dared to get on napster (yeah it was awhile ago :-) at an old job by
one of the admins. They had recently gone through a whole
seminar-thing on how to block these kinds of things. So I set up a
socks proxy on my home computer running on port 80, and proceeded to
fill up my work HD with mp3's. They didn't filter web traffic so it
just looked like web traffic as far as the firewall was concerned.
Took me about 5 minutes to waste their thousands of dollars on
training.
I also used the same 'trick' to get around a filtering internet
provider. I think that time was by using port 53.
Any open port would be subject to the same. So close them. All of them.
--Bryan
