View Single Post
  #6   (View Single Post)  
Old 19th April 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by robbak View Post
Even transparent proxy setups need to allow initial DNS lookups, and these DNS lookups are a way of getting around restricions: proxies or VPNs running on port 53
Not if you only allow port 53 traffic to/from *your* DNS servers.

The trick is to write firewall rules that don't use wildcards for connections from the local network to remote hosts (ie no rules of the form "allow protocol from localnet to any port").

Quote:
You will have to allow https: on port 443,
Again, you don't open it completely, you add rules to only allow traffic through to the sites that the users *need* to access.

Quote:
In conclusion, do what you can, but be aware that nothing can be 100% secure.
Correct. Users will always find ways around the 'Net filters, it's a bit of an arms race. But it's not as horrible as you make it out to be.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote