Shorewall users - Jun 2008 - Can shorewall prevent SSH tunnels thru the squid proxy?

Hi all,

I''ve been googling for hours, and can''t find one link that
even discusses this.

I''m trying to figure out how to prevent people from bypassing my
firewall, by using an SSH tunnel through the squid proxy server running on my
firewall.

I''m running Debian Etch 4.0 stable, shorewall 3.2.6-2, squid 2.6.5-6,
dansguardian 2.8.0.6.

I''ve googled, and there are hundreds of sites that teach how to bypass
the proxy, but none explain how to prevent it.  Squid doesn''t appear to
be able to stop them.  I''m thinking a shorewall/iptables rule to
recognize the SSH tunnel via proxy attempt, and drop it.  If not shorewall
directly, then maybe snort or fwsnort?

I''m open to suggestions.  Also, I''ve documented my firewall,
wrote this how-to:  www.abazaba.org/debian/firewall.html

Thanks



      

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Daryl Caudill wrote:
> Hi all,
>
> I''ve been googling for hours, and can''t find one link
that even discusses this.
>
> I''m trying to figure out how to prevent people from bypassing my
firewall, by using an SSH tunnel through the squid proxy server running on my
firewall.
>
> I''m running Debian Etch 4.0 stable, shorewall 3.2.6-2, squid
2.6.5-6, dansguardian 2.8.0.6.
>
> I''ve googled, and there are hundreds of sites that teach how to
bypass the proxy, but none explain how to prevent it.  Squid doesn''t
appear to be able to stop them.  I''m thinking a shorewall/iptables rule
to recognize the SSH tunnel via proxy attempt, and drop it.  If not shorewall
directly, then maybe snort or fwsnort?
>   
Try rate-limiting port 443 connections so that they are so slow that 
people only use them when they absolutely have to.

I found this was quite useful for blocking skype.

T
> I''m open to suggestions.  Also, I''ve documented my
firewall, wrote this how-to:  www.abazaba.org/debian/firewall.html
>
> Thanks
>
>
>
>       
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>   

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Daryl Caudill wrote:
>I''ve been googling for hours, and can''t find one link that
even
>discusses this.
>
>I''m trying to figure out how to prevent people from bypassing my 
>firewall, by using an SSH tunnel through the squid proxy server 
>running on my firewall.
Do you mean SSH or SSL - SSH doesn''t have anything to do with Squid !

The whole point of SSL & SSH is that he data is encrypted and you 
cannot tell what is in it. You can make ''educated guesses''
that
perhaps if there are a lot of small packets making up a regular 
constant data stream then it could be (say) a VOIP voice stream, but 
it would still be a guess.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

I mean SSH.  SSH sessions thru the web proxy server that requires
authentication.

Here are a few examples:

http://www.your-freedom.net/index.php?id=4
http://polishlinux.org/apps/ssh-tunneling-to-bypass-corporate-firewalls/
http://weyland.be/wrdprss/index.php/2005/09/28/connections-through-firewall-via-ssh-tunnel/

I''ve read threads hinting it''s possible to block them, but no
specifics yet.

I''m thinking of creating a virtual ethernet interface, put squid on it,
put blocking filters on it, then when dansguardian forwards to squid on that
interface, hits the filters.  Fwsnort comes to mind, might be a good way to go. 
There has got to be a way, that doesn''t consume too much cpu/resources.


--- On Thu, 6/12/08, Simon Hobson <linux@thehobsons.co.uk> wrote:
> From: Simon Hobson <linux@thehobsons.co.uk>
> Subject: Re: [Shorewall-users] Can shorewall prevent SSH tunnels thru the
squid proxy?
> To: shorewall-users@lists.sourceforge.net
> Date: Thursday, June 12, 2008, 5:32 AM
> Daryl Caudill wrote:
> 
> >I''ve been googling for hours, and can''t find
> one link that even 
> >discusses this.
> >
> >I''m trying to figure out how to prevent people from
> bypassing my 
> >firewall, by using an SSH tunnel through the squid
> proxy server 
> >running on my firewall.
> 
> Do you mean SSH or SSL - SSH doesn''t have anything to
> do with Squid !
> 
> The whole point of SSL & SSH is that he data is
> encrypted and you 
> cannot tell what is in it. You can make ''educated
> guesses'' that 
> perhaps if there are a lot of small packets making up a
> regular 
> constant data stream then it could be (say) a VOIP voice
> stream, but 
> it would still be a guess.
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Daryl Caudill escribió:
> Hi all,
> 
> I've been googling for hours, and can't find one link that even
discusses this.
> 
Shorewall can't , there are zillions of ways to bypass your setup, looks 
like it is time for you to fix your policies instead.


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users