23.12.2016 23:30, Sameh Onaissi пишет: > Thank you all for the suggestions. > > I will try to read up on iptables and add the necessary rules, as well as try to add norhtghost IPs to the blacklist. AFAIK not IPs, but network ranges. And you require to regullarry update it, to keep up-to-date, and made enough exceptions - to work innocent sites. > > On another note, I noticed Tor Browser bypasses squid completely. The only search results I found on how to block it with squid date back to 2011. (Amos has a script for that?) > Any idea how to block Tor? I downloaded it and ran it and none of its traffic is detected by Squid. Bridged Tor?! Cool story, bro. Ever China government, with Great China Firewall, can't block Tor. PS. Personal advice. Forget about blocking Tor. Forever. It desined to prevent any blocking. And good designed. > > > > > >> On Dec 23, 2016, at 4:31 AM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote: >> >> My suggestion would be to find the holes in the system. >> There are couple good networking tools ie: >> Iptstate >> Iptraf-ng >> netstat-nat >> conntrackd-tools >> >> The above tools have the options to see what parts of the IP is not ports such as: >> 53 >> 80 >> 443 >> >> Which you can control easily. >> You can easily add a DROP or REJECT rule in iptables for all new connections on other then these ports as a starter. >> It's very simple to write and I think you should dig a bit on iptables so you would be able to understand how it works better to give you a glimpse into the networking security world. >> This amazing site and page: >> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables >> >> Gives a better understanding to iptables and also on networking. >> If you need more guidance let me know. >> >> Eliezer >> >> ---- >> Eliezer Croitoru >> Linux System Administrator >> Mobile: +972-5-28704261 >> Email: eliezer@xxxxxxxxxxxx >> >> >> -----Original Message----- >> From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Sameh Onaissi >> Sent: Friday, December 23, 2016 2:03 AM >> To: Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> >> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx >> Subject: Re: Bypassed Proxy >> >> I have been trying to replicate what he is doing. >> >> I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. My iptables seem to be doing the job in that regard (Eliezer helped me set them up) >> >> >> >>> On Dec 22, 2016, at 5:14 PM, Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> wrote: >>> >>> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote: >>> >>>> The user has hotspot shield installed on his PC, which I believe is a >>>> similar extension to the one you mentioned. >>>> He is getting by squid with some sort of VPN, I thought squid can be >>>> configured against such things? >>> It sounds as though you need to review your firewall (routing) policies. >>> >>> Anyone who is allowed to use a VPN can effectively bypass all security >>> policies on your network. >>> >>> >>> Antony. >>> >>> -- >>> Schrödinger's rule of data integrity: the condition of any backup is >>> unknown until a restore is attempted. >>> >>> Please reply to the list; >>> please *don't* CC me. >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- What is the fundamental difference between the programmer and by a fag? Fag never become five times to free the memory of one object. Fag will not use two almost identical string libraries in the same project. Fag will never write to a mixture of C and C ++. Fag will never pass objects by pointer. Now you know why these two categories so often mentioned together, and one of them is worse :)
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
