[KLUG Members] Iptables

[Jason Edward Durrett]

Robert G. Brown wrote:

>On Mon, 22 Aug 2005 14:02:49 -0400, Tony Gettig wrote:
>
>  
>
>>What we do is block ALL outbound traffic by default and make exceptions
>>where necessary.
>>    
>>
>Seems fascistic enough to have a chance of actually working.
>
>  
>
>>All web surfing must go through the proxy. The web
>>filtering solution is also configured to deny traffic to the IM
>>services.
>>    
>>
>IM clients can be configured to use port 80, etc. How are you blocking
>these?
>
>  
>
>>Non-web traffic that needs to go out is explicitly allowed per
>>application, ...
>>    
>>
>Right, but in this case, there isn't any "non-web" traffic.
>
>  
>
>>and when possible, per network segment. 
>>    
>>
>I think I understand this.
>
>  
>
>>Overkill? Maybe.
>>    
>>
>Nah, as I wrote above...
>
>  
>
>>YMMV, yada yada...
>>    
>>
>Sure, you've disclaimed yourself adequately :)
>
>What you and Bruce said earlier in this thread is essentially
>that even though these IM clients use http, they (probably) don't
>have the ability to handle to client side of the authentication
>dialog. So put 'em into an environment where they have to auth
>themselves to get out, and they're stuck.
>
>At least some IMs support that, too. You're not stoppin' 'em,
>but you're raising the bar a lot...
>
>  
>
Gaim is one of those IMs that supports proxy authentication.

But could a client just use tor?  It is possible for it to run through
squid and also authenticate - with socat socks aware apps can be put
through.  And with tsocks, even non-socks aware apps will work.  (I
think someone would have to be root to set all this up though).

Then there is also connect.c - truly amazing what you can do:

http://www.taiyo.co.jp/~gotoh/ssh/connect.html

But, yes, that does raise the bar very high. 


Jason Edward Durrett