My suggestion would be to find the holes in the system. There are couple good networking tools ie: Iptstate Iptraf-ng netstat-nat conntrackd-tools The above tools have the options to see what parts of the IP is not ports such as: 53 80 443 Which you can control easily. You can easily add a DROP or REJECT rule in iptables for all new connections on other then these ports as a starter. It's very simple to write and I think you should dig a bit on iptables so you would be able to understand how it works better to give you a glimpse into the networking security world. This amazing site and page: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables Gives a better understanding to iptables and also on networking. If you need more guidance let me know. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Sameh Onaissi Sent: Friday, December 23, 2016 2:03 AM To: Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Bypassed Proxy I have been trying to replicate what he is doing. I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. My iptables seem to be doing the job in that regard (Eliezer helped me set them up) > On Dec 22, 2016, at 5:14 PM, Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote: > >> The user has hotspot shield installed on his PC, which I believe is a >> similar extension to the one you mentioned. > >> He is getting by squid with some sort of VPN, I thought squid can be >> configured against such things? > > It sounds as though you need to review your firewall (routing) policies. > > Anyone who is allowed to use a VPN can effectively bypass all security > policies on your network. > > > Antony. > > -- > Schrödinger's rule of data integrity: the condition of any backup is > unknown until a restore is attempted. > > Please reply to the list; > please *don't* CC me. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
