[KLUG Members] Iptables
Jason Edward Durrett
jed at shackman.com
Mon Aug 22 15:07:53 EDT 2005
Robert G. Brown wrote:
>On Mon, 22 Aug 2005 14:02:49 -0400, Tony Gettig wrote:
>
>
>
>>What we do is block ALL outbound traffic by default and make exceptions
>>where necessary.
>>
>>
>Seems fascistic enough to have a chance of actually working.
>
>
>
>>All web surfing must go through the proxy. The web
>>filtering solution is also configured to deny traffic to the IM
>>services.
>>
>>
>IM clients can be configured to use port 80, etc. How are you blocking
>these?
>
>
>
>>Non-web traffic that needs to go out is explicitly allowed per
>>application, ...
>>
>>
>Right, but in this case, there isn't any "non-web" traffic.
>
>
>
>>and when possible, per network segment.
>>
>>
>I think I understand this.
>
>
>
>>Overkill? Maybe.
>>
>>
>Nah, as I wrote above...
>
>
>
>>YMMV, yada yada...
>>
>>
>Sure, you've disclaimed yourself adequately :)
>
>What you and Bruce said earlier in this thread is essentially
>that even though these IM clients use http, they (probably) don't
>have the ability to handle to client side of the authentication
>dialog. So put 'em into an environment where they have to auth
>themselves to get out, and they're stuck.
>
>At least some IMs support that, too. You're not stoppin' 'em,
>but you're raising the bar a lot...
>
>
>
Gaim is one of those IMs that supports proxy authentication.
But could a client just use tor? It is possible for it to run through
squid and also authenticate - with socat socks aware apps can be put
through. And with tsocks, even non-socks aware apps will work. (I
think someone would have to be root to set all this up though).
Then there is also connect.c - truly amazing what you can do:
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
But, yes, that does raise the bar very high.
Jason Edward Durrett
More information about the Members
mailing list