Star Building a Mini-ITX Web Content Filter with Ubuntu
Linked by Thom Holwerda on Sat 17th Jan 2009 07:05 UTC
Linux Using an Mini-ITX motherboard and some spare parts lying around my study, I was able to put together an extremely powerful internet filtering appliance that is not only powerful but fast, reliable, and darn near impossible to circumvent by computer savvy teens. Most parents do not want to bother becoming the internet police of the household but today's internet is a very hostile place with many different opportunities for trouble.
E-mail Print r 1   10 Comment(s) http://osne.ws/g1g
Thread beginning with comment 343970
To read all comments associated with this story, please click here.
SSH tunnels?
by flanque on Sat 17th Jan 2009 08:25 UTC
flanque
Member since:
2005-12-15

I'm not that familiar with Squid but from what I could understand, there's nothing here that prevents an ssh tunnel to another host on the outside and accessing the Internet via that. Even if port 22 is blocked, an SSH server anywhere between the following range seems possible:

acl Safe_ports port 1025-65535

Again, I'm not that familiar with squid, but I'd expect the kiddies will figure this out quickly and work around it this way.

Still this is a very nice article and a good read.

Reply Bookmark Score: 3

RE: SSH tunnels?
by phoenix on Mon 19th Jan 2009 20:46 in reply to "SSH tunnels?"
phoenix Member since:
2005-07-11

I'm not that familiar with Squid but from what I could understand, there's nothing here that prevents an ssh tunnel to another host on the outside and accessing the Internet via that. Even if port 22 is blocked, an SSH server anywhere between the following range seems possible:

acl Safe_ports port 1025-65535


That creates the ACL, but it's the http_access lines that actually implement the ACL. The Safe_ports ACL is used like so:

http_access deny !Safe_ports
http_access allow localhost

So, only localhost is allowed to connect, which means only connections redirected via iptables are allowed to connect to Squid.

However, where this setup breaks down is that FTP and Windows file sharing is allowed to ANYWHERE!! Which means, any kid smart enough to figure out SSH can connect to an SSH server running on port 21, 135-139, or 445, and have unrestricted access to the Internet via SSH tunnelling.

Why in the world would anyone allow SMB shares to the Internet?? Boggles the mind. (Actually, what boggles the mind is why anyone would run Linux as a firewall, considering the horrible syntax for iptables comapared to PF or even IPFW on any of the BSDs.)

Reply Parent Bookmark Score: 2