On Tue, Jan 23, 2007 at 05:41:26AM -0500, Roberto C. Sanchez wrote: > At any rate, you would > probably need to block all outbound traffic on every port except for 80 > (or chosen proxy port) and setup a non-transparent authenticating proxy > to really make this work. However, that is rather draconian if you ask > me.
And it still doesn't work. There's a piece of software around somewhere that sets up an IP tunnel over HTTP get/post messages - it'll go right through any kind of proxy because it looks like normal web traffic (there's even a proof-of-concept implementation that uses valid HTML content in the messages). For practical purposes: either block outbound internet access entirely or don't waste your time trying. A person with control over a generic computer on both sides of a firewall can always tunnel through it somehow, if they can get any data through at all. Firewalls are useless against such people; if you want to control what they do, use something else instead (like a cattle prod). (We can consider a filtering proxy to be a strange kind of firewall) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
