Re: Netcat through Squid HTTP Proxy

From: Chris Kuethe (chris.kuethe@gmail.com)
Date: Tue Apr 19 2005 - 11:32:22 EDT


On 4/18/05, Henderson, Dennis K. <Dennis.Henderson@umb.com> wrote:
> It seems like he was looking for information on how to prevent this.

Short answer: good luck, unless you can definatively teach squid about
what https, etc. looks like. Application layer gateways don't do you
much good if they don't watch for protcol abuses.

Limiting CONNECT is one way to do it, but that means you a) need to
sniff and decode at least the initial negotiation [is this really an
SSL session?] or b) are going to break HTTPS.

> You can configure squid to only allow tunneling on certain ports like
> 443 and 80. You'll have to figure out what your safe ports are to
> prevent legitimate traffic from being impacted.

until someone sets up a world-reachable box with every port redirected
to 127.0.0.1:22 to get around this...

> I usually make sure the usual ports like ssh, telnet, irc are not
> allowed.

Make sure you don't allow DNS out either. Otherwise someone will come
along with an IP-over-DNS tunneller.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:20 EDT