DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th April 2009
bichumo bichumo is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Default Prevent users from using proxy

Hi,

I am running a router with FreeBSD + pf + squid. If I block some sites through squid, clients adds proxy server to their browsers and can access those sites. How to disable them from accessing websites through proxy servers and enable just going out through squid?

Thanks for any information.
Reply With Quote
  #2   (View Single Post)  
Old 16th April 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

The only real way I can see is running Squid as a transparent proxy on localhost and using PF on the internal interface to redirect http traffic ports (see Safe Ports in squid.conf, but not 443!) to Squid.

Then you'll have to lock down the internal interface, only opening the necessary/allowed ports outbound (or people will just point their browsers to http://some_proxy:9156 and defeat your redirection.

This is not airtight. You will have to allow port 443 through (SSL and transparent proxies don't mix), and probably ports like 22 as well.

So external proxies that can be reached by SSL/SSH (either directly (proxies running on port 443 or 22 exist) or using tunnels) can still be contacted and used.

It will be a lot harder for most average users, though.
Reply With Quote
  #3   (View Single Post)  
Old 16th April 2009
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

I'd add that since you control the clients' default router (if I am understanding), you could start filtering all outbound traffic * and force them to come through your http proxy to access the 'net.

* There may be some exceptions, e.g. name lookups.
__________________
Kill your t.v.
Reply With Quote
  #4   (View Single Post)  
Old 16th April 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Simplest method is to block all outgoing requests, except those from your proxy server. If they don't use the proxy, they don't get Internet access. Start with a "deny all" policy.

Then, add rules to allow specific protocols to/from specific IPs on specific ports, as needed, for access to other services. Don't use any rules like "allow ip from localnet to any 25". Always specify an IP (don't use "any").
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 19th April 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

Even transparent proxy setups need to allow initial DNS lookups, and these DNS lookups are a way of getting around restricions: proxies or VPNs running on port 53, or, if you prevent that, take a look at http-over-DNS! Automatically configuring your proxy (for instance, using that rather horrid 'wpad' protocol) may allow you to close the DNS hole, but it will trip up some browsers. The other way is to mess around with captive portals and dual horizon DNS - find out about them if you'd like a headache.
You will have to allow https: on port 443, and once you allow encrypted traffic through, you have no control over what that encrypted traffic may be.

In conclusion, do what you can, but be aware that nothing can be 100% secure.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 19th April 2009 at 02:01 AM.
Reply With Quote
  #6   (View Single Post)  
Old 19th April 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by robbak View Post
Even transparent proxy setups need to allow initial DNS lookups, and these DNS lookups are a way of getting around restricions: proxies or VPNs running on port 53
Not if you only allow port 53 traffic to/from *your* DNS servers.

The trick is to write firewall rules that don't use wildcards for connections from the local network to remote hosts (ie no rules of the form "allow protocol from localnet to any port").

Quote:
You will have to allow https: on port 443,
Again, you don't open it completely, you add rules to only allow traffic through to the sites that the users *need* to access.

Quote:
In conclusion, do what you can, but be aware that nothing can be 100% secure.
Correct. Users will always find ways around the 'Net filters, it's a bit of an arms race. But it's not as horrible as you make it out to be.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #7   (View Single Post)  
Old 19th April 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Never heard of iodine pheonix? even your local recursing DNS server is vulnerable..

It is very easy to tunnel outside of presumably secure networks, it's easier to just set some network guidelines and enforce penalties for people caught breaking the rules.

Human exploitation, people like ratting on other people.
Reply With Quote
  #8   (View Single Post)  
Old 20th April 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by BSDfan666 View Post
Never heard of iodine pheonix? even your local recursing DNS server is vulnerable..
Nope, never heard of that. Thanks for the link.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #9   (View Single Post)  
Old 20th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

At the company where I am currently consulting, the local network tiers are isolated from one another by firewalls. All but the externally facing tier are completely isolated from the Internet; DNS is local only (of course), and Internet addresses are not reachable via any router. Only the externally facing tier (the DMZ, if you like) has direct Internet access.

End users are limited to restricted, monitored, and authenticated proxy connections via http/s on ports 80/443, and, only if their management approves and funds the individual's access on an annual basis. IP addresses may not be used in URLs; the monitoring software requires domain names.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap and ftp proxy problem hamba FreeBSD Security 2 22nd January 2009 01:33 PM
ftp-proxy in openbsd brody OpenBSD General 2 20th October 2008 04:18 PM
FTP-Proxy cannot connect plexter OpenBSD Packages and Ports 6 11th October 2008 05:59 PM
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 09:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick