Hi,
I''ve been trying to figure out an efficient way of blocking unwanted
traffic which uses port 80 (or 443). In an ideal world, LAN users should simply
"behave" and use network resources with care. However, in a big
network it''s likely that there be some uncivilized users once in a
while.
I would like to block services such as LogMeIn (I suppose it works like
httptunnel from www.nocrew.org).
Until now, I have blocked specific IP addresses (such as the LogMeIn servers).
Has anyone used a more efficient/global solution (apart from blocking HTTP
access altogether)?
Has anyone already used l7 to do this (or can it)?
I know shorewall doesn''t support l7 but are there any alternatives to
detect "non-HTTP" traffic going through port 80?
Regards,
Vieri
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, 2008-09-25 at 04:12 -0700, Vieri Di Paola wrote:> Hi, > > I''ve been trying to figure out an efficient way of blocking unwanted traffic which uses port 80 (or 443).Use an HTTP[S] proxy and block all other outbound/direct traffic. b. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
[ First, please fix your mail client to properly wrap lines. ] On Thu, Sep 25, 2008 at 04:12:14AM -0700, Vieri Di Paola wrote:> Hi, > > I''ve been trying to figure out an efficient way of blocking unwanted > traffic which uses port 80 (or 443). In an ideal world, LAN users > should simply "behave" and use network resources with care. However, > in a big network it''s likely that there be some uncivilized users once > in a while. >Your best bet is to use squid. Squid has a nice acl feature that allows you do block based on domain name and/or url key words. Shorewall, being a configuration tool for netfilter, is limited to operating at the levels provided by netfilter (hint: http is an application layer protocol and netfilter does not go that high in the stack). Some things to keep in mind if you decide to use squid: - You can transparently proxy non-SSL traffic, but it is not possible to transparently proxy SSL traffic - If you have more than two or three people who will be affected by this, you really need to make squid authenticate its users - It is best to do non-transparent proxying (i.e., where the user enters the proxy setting into Mozilla or whatever) since that will ensure that the proxy is used based on the protocol and not just the port - If you have Unix/Linux users this might annoy them as there is no central place to enter proxy information (like in Windows) and so they will need ot configure every app (e.g., Mozilla, wget, curl, etc) Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Do you have proxy. If so it can be done pretty easy on proxy servers. Chakri Vieri Di Paola wrote:> Hi, > > I''ve been trying to figure out an efficient way of blocking unwanted traffic which uses port 80 (or 443). In an ideal world, LAN users should simply "behave" and use network resources with care. However, in a big network it''s likely that there be some uncivilized users once in a while. > > I would like to block services such as LogMeIn (I suppose it works like httptunnel from www.nocrew.org). > > Until now, I have blocked specific IP addresses (such as the LogMeIn servers). > > Has anyone used a more efficient/global solution (apart from blocking HTTP access altogether)? > > Has anyone already used l7 to do this (or can it)? > > I know shorewall doesn''t support l7 but are there any alternatives to detect "non-HTTP" traffic going through port 80? > > Regards, > > Vieri > > > > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
--- On Thu, 9/25/08, Roberto C. Sánchez <roberto@connexer.com> wrote:> [ First, please fix your mail client to properly wrap lines. ]I''m using Yahoo''s webmail. Will have to subscribe from another account.> Your best bet is to use squid. Squid has a nice acl feature that allows > you do block based on domain name and/or url key words.Thanks but what if I don''t know beforehand the domain names and/or url keywords? I already setup once a custom http tunnel with a ssh server to take control of a remote host via vnc, bypassing its firewall (however, the remote host did not have a proxy). I suppose that by forcing the use of Squid the HTTP requests/replies will be done by the proxy itself so they will be "truely http". What about HTTPS? According to http://wiki.squid-cache.org/SquidFaq/AboutSquid#head-593dae4b6b740816917a6cc2ce5854d3d43624ee it seems that HTTPS connections are just passed through. So I guess that if port 443 is allowed then applications "such as" LogMeIn could go through that port. Thanks for your comments. Vieri ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, Sep 25, 2008 at 06:43:47AM -0700, Vieri Di Paola wrote:> > --- On Thu, 9/25/08, Roberto C. Sánchez <roberto@connexer.com> wrote: > > > [ First, please fix your mail client to properly wrap lines. ] > > I''m using Yahoo''s webmail. > Will have to subscribe from another account. >If you use "plain text" instead of "rich text" it should work properly.> > Your best bet is to use squid. Squid has a nice acl feature that allows > > you do block based on domain name and/or url key words. > > Thanks but what if I don''t know beforehand the domain names and/or url > keywords? >I''m not sure.> I already setup once a custom http tunnel with a ssh server to take > control of a remote host via vnc, bypassing its firewall (however, the > remote host did not have a proxy). I suppose that by forcing the use > of Squid the HTTP requests/replies will be done by the proxy itself so > they will be "truely http". > > What about HTTPS? > > According to > http://wiki.squid-cache.org/SquidFaq/AboutSquid#head-593dae4b6b740816917a6cc2ce5854d3d43624ee > it seems that HTTPS connections are just passed through. So I guess > that if port 443 is allowed then applications "such as" LogMeIn could > go through that port. >Think about it for a minute. If you could intercept the https packets and look inside of them, then so could anybody. What would be the point SSL then? It would be worthless. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
--- On Thu, 9/25/08, Roberto C. Sánchez <roberto@connexer.com> wrote:> > > [ First, please fix your mail client to properly > wrap lines. ] > > > > I''m using Yahoo''s webmail. > > Will have to subscribe from another account. > > > If you use "plain text" instead of "rich > text" it should work properly.I''ve always used plain text. It''s the case right now. So if the lines are not wrapped properly I apologize on behalf of Yahoo. :-) (will try to write as little as possible for clearness)> Think about it for a minute. If you could intercept the > https packets > and look inside of them, then so could anybody. What would > be the point > SSL then? It would be worthless.Understood. So basically, since it''s absurd to block access to HTTPS sites from "loc to net" and SSL traffic can''t obviously be "sniffed" or "truely proxied" then I have to live with the fact that, for example, a local user could execute a program (which doesn''t require admin rights) that launches a custom, mini-vnc server and connects to a remote SSH server which is actually listening on port 443. A remote user could then connect to the SSH server and tunnel a vnc client to connect to my local user''s screen (s/vnc/rdp/g). Please let me know if I''m writing nonsense. Vieri ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, Sep 25, 2008 at 08:52:56AM -0700, Vieri Di Paola wrote:> > I''ve always used plain text. > It''s the case right now. > So if the lines are not wrapped properly I apologize on behalf of Yahoo. :-) > (will try to write as little as possible for clearness) >Then don''t worry about it. :-)> > Understood. > > So basically, since it''s absurd to block access to HTTPS sites from > "loc to net" and SSL traffic can''t obviously be "sniffed" or "truely > proxied" then I have to live with the fact that, for example, a local > user could execute a program (which doesn''t require admin rights) that > launches a custom, mini-vnc server and connects to a remote SSH server > which is actually listening on port 443. A remote user could then > connect to the SSH server and tunnel a vnc client to connect to my > local user''s screen (s/vnc/rdp/g). > > Please let me know if I''m writing nonsense. >It makes sense. If your users are that savvy, there is not much you can do about it :-) Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> In an ideal world, LAN users should simply "behave" and use network > resources with care. However, in a big network it''s likely that there be > some uncivilized users once in a while.If fair use of limited bandwidth (rather than unsanctioned activity) is the main issue, then perhaps a good way to handle it is with "traffic shaping" (and/or Quality Of Service). I''ve seen an example where P2P traffic was almost completely eliminated with no ongoing maintenance requirement just by cleverly lowering its priority (rather than by trying to prohibit certain sites or content). For web traffic (and fake web traffic), try using firewall features that count bytes or time, then severely demoting the priority of connections that are "too big" or "too long".> Has anyone used a more efficient/global solution ...?The best filter I know of is DansGuardian (usually actually implemented as a DansGuardian/Squid combination, in a configuration in which DansGuardian does all the filtering and Squid only does caching and access but is not involved in the filtering at all). As it actually scans over the content, it can block (parts of) sites that you haven''t actually listed by IP/URL.> Has anyone already used l7 to do this (or can it)?Unfortunately I''m not using it and I haven''t heard anything from anybody who uses it as part of a filtering system, but hopefully I just listen in the wrong circles. I''m very curious if L7 can reasonably address the current https: filtering mess. If you find out, please tell us all.> ... are there any alternatives to detect "non-HTTP" traffic going > through port 80?Once you have content scanning, port 80 will no longer be such a big problem. The current big problem is port 443. If you find an open source software tool that can identify port 443 connections that don''t use W3C-sanctioned encryption handshake methods, let everybody know -- this is currently the Holy Grail of filtering!! ----- The previous respponse about forcing everyone to use "local proxy" settings in their browser to access the web through your gateway rather than directly, giving your gateway its own SSL certificate, then having traffic decrypted/scanned/recrypted at the gateway, applies (perhaps even more) to DansGuardian than to Squid. It may be your best alternative currently. Note well the previously mentioned caveats about _not_ using "transparancy", configuration difficulty, etc. etc. (HTTPS has become such a big problem in the filtering world because there''s lots of money behind it. Anything that was developed to circumvent political censorship can also be used to circumvent web filtering. The U.S. government is currently devoting significant resources to circumventing the "Great Firewall of China". Private organizations such as EFF have also supported some efforts. Ergo, excellent tools for flouting web filtering are readily available.) ----- (For reference, also see my old posting/rant at http://tech.groups.yahoo.com/group/dansguardian/message/21540) thanks! -Chuck Kollars ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
--- On Thu, 9/25/08, Chuck Kollars <ckollars9@yahoo.com> wrote:> tool that can identify port > 443 connections that don''t use W3C-sanctioned encryption > handshake methodsThat could be interesting. Thank you and the rest of the ML users for the feedback. Vieri ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/