firewall/proxy question
I am trying to find a way to stop some people on our network from accessing certain websites. We have been using Squid with SquidGuard on an older FreeBSD system. The Squid that was installed from ports doesn't seem to see https: connections. From what I can find, this appears to be normal behavior since https: connections are encrypted. Is there some way to set up ipfw to block access to port 443 if the URL/IP matches a certain address? These users are bypassing our filter rules by accessing a proxy site that is using https. The current ruleset on the box is 00049 allow tcp from filter machine IP to any 00050 fwd filter machine IP,3128 tcp from any to any 80 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any Can someone help with some suggestions? Does the Linux firewall system have a similar way to block access to a particular IP if it were doing forwarding? We were experimenting with a new proxy machine but it is running Ubuntu. -Bart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Proxy question
We are currently running Squid and SquidGuard on FreeBSD for monitoring/proxying web browsing activity at our workplace. The problem is that some users figured out how to use a specific type of proxy to bypass protections...specifically, they're going through an https site. Is it possible to run a proxy that can monitor https connections and block them if necessary? -Bart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy question
Bart Silverstrim [EMAIL PROTECTED] wrote: We are currently running Squid and SquidGuard on FreeBSD for monitoring/proxying web browsing activity at our workplace. The problem is that some users figured out how to use a specific type of proxy to bypass protections...specifically, they're going through an https site. Is it possible to run a proxy that can monitor https connections and block them if necessary? To monitor https connections the proxy has to run a man in the middle attack and unless you change the certificates on the clients, this will cause browser warnings and confuse users. Depending on your country it may also be illegal if you don't inform the users about it, but of course that's true for monitoring in general. If you're only talking about blocking SSL connections to hosts that aren't white-listed, you can simply block CONNECT requests on the proxy and use a packet filter to make sure the clients can't just bypass the proxy. I assume that Squid itself can block CONNECT requests based on the hostname, but if it can't, you could add Privoxy to your proxy chain to do that. Fabian signature.asc Description: PGP signature
ipnat transparent www proxy question
I would like to do transparent www proxy for nat-network which is 172.16.0.0/24 and wwwproxy being $ispcache I told ipnat to do: rdr xl0 from 172.16.0.0/24 to any port = 80 - $ispcache port 8080 tcp but all www connections go straight through, not through cache. xl0 is LAN interface. Any clue? Markus Kovero ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat transparent www proxy question
On Wed, Feb 11, 2004 at 11:21:36AM +0200, Markus Kovero wrote: I would like to do transparent www proxy for nat-network which is 172.16.0.0/24 and wwwproxy being $ispcache I told ipnat to do: rdr xl0 from 172.16.0.0/24 to any port = 80 - $ispcache port 8080 tcp but all www connections go straight through, not through cache. xl0 is LAN interface. Any clue? Markus Kovero What is the output of `ipfw list`? You should probably add a rule something like the following just after your NAT divert rule: $ ipfw add fwd $ispcache,8080 tcp from any to any dst-port 80 in Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 pgp0.pgp Description: PGP signature
Reverse proxy question
Hey everyone. Here's a question that may have been answered in the past, but I'm not real satisfied with what I've found on Google. I have been tasked with setting up a reverse proxy (open source, probably squid) that is capable of handling 5000 requests per second or more. Yes, 5000/sec. It's a world gone mad, I tell you. Licensed products like iMimic and Volera are not options. The OS is flexible (I'm leaning toward a recent 4.x version of FreeBSD) and the hardware is limited to what's on hand - either a Dell 2550 or 2650 with 1G Ram, 30G hard drive space, and varied CPU configurations. What we have available are as follows: single 933MHz Xeon in the 2550, single or dual 1.3 or 1.8 GHz Xeon in the 2650. I realize that Squid relies more on disk seek times than actual transfer rate or CPU power. If I've been told right, the disks are all mirrored 30G drives, but I don't have seek times on hand. I know that most reverse proxies out there - both commercial and open source are typically single CPU architectures, so that will be the initial focus. The problem I would like help with here is the version of FreeBSD that would be more likely to handle this kind of load, particularly with respect to Posix asynchronous I/O. I've been told that 4.6 and earlier didn't have great Posix A-I/O support, but is it better in 4.8, or should I jump to 5.0? Also, if anyone knows of a reverse proxy that may be able to do better than Squid, I'd certainly welcome the suggestion. The benchmarks I've seen online indicate I may need to improve squid by a factor of 10. Not sure that's really an option unless the benchmark I've seen is horribly biased. Of course, if anyone has a web site that details some of the finer tweaks that might at least get Squid close to the requirements, that'd be great too. Thanks in advance. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Armor's Axiom: Virtue is the failure to achieve vice. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie proxy question
Remington L. [EMAIL PROTECTED] writes: I am interested in installing an FTP proxy server on my default gateway. I understand caching and all that, my question goes along the lines of security. Lets say I leave ports 21, 20 open on the server(default gateway) and I have another machine which is the actually FTP server. You also need to handle the data connections, and forward them. I read somewhere about proxy packet inspection. It is my understanding that without the proxy anyone can portscan me and find the open port. With proxy inspection it will only allow in valid FTP commands through, making it harder to find the open ports. Does this hold true? You can be portscanned in either case. To support FTP, you have to have the FTP command port open. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Newbie proxy question
I am interested in installing an FTP proxy server on my default gateway. I understand caching and all that, my question goes along the lines of security. Lets say I leave ports 21, 20 open on the server(default gateway) and I have another machine which is the actually FTP server. I read somewhere about proxy packet inspection. It is my understanding that without the proxy anyone can portscan me and find the open port. With proxy inspection it will only allow in valid FTP commands through, making it harder to find the open ports. Does this hold true? And I would like to here any ideas you guys may have on a good proxy, right now im looking at jftpgw Thanks for your time -Remi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setting up proxy question 2, aim behind firewall
At 2003-02-26T13:36:25Z, Alvaro Gil [EMAIL PROTECTED] writes: I read through the squid manuals and it requires a ton of disk space and ram and a moderately fast computer. It does if you're using it as a transparent cache for a large ISP. For your purposes, your P166 will be plenty sufficient. If you do install Squid, you can also install AdZap, which works as a plugin to remove advertisements From pages that Squid sends to clients. Configure your browser to use your new cache, and welcome to the world of no (ok, less) banner ads! Kill two birds with one stone! -- Kirk Strauser In Googlis non est, ergo non est. pgp0.pgp Description: PGP signature
setting up proxy question 2, aim behind firewall
I read through the squid manuals and it requires a ton of disk space and ram and a moderately fast computer. My server is a wimpy little Pentium 166 with 48 megs of ram and a 6 gig hard drive. Is there a simpler way to set up a method of using AIM behind a firewall? I don't need an industrial strength Proxy, just something so I can use AIM behind a firewall.. Thanks. Alvaro Gil http://www.AlvaroGil.com '84 Volvo 242 Turbo (Silver) '97 Leopard Gecko (White, Yellow, Black) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: setting up proxy question 2, aim behind firewall
On Wed, Feb 26, 2003 at 08:36:25AM -0500, Alvaro Gil wrote: I read through the squid manuals and it requires a ton of disk space and ram and a moderately fast computer. My server is a wimpy little Pentium 166 with 48 megs of ram and a 6 gig hard drive. Is there a simpler way to set up a method of using AIM behind a firewall? I don't need an industrial strength Proxy, just something so I can use AIM behind a firewall.. Apache has a mod_proxy which might be suitable for your uses. http://httpd.apache.org/docs/mod/mod_proxy.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
