On Wednesday 03 January 2007 19:26, Gary Thornock wrote:
> The first thought that came to mind was to use transparent
> proxy-style firewall rules, but then I wondered, given that the
> browser and the proxy would be running on the same machine,
> whether iptables could distinguish between an outbound request
> from the proxy and an outbound request (on the same port) from a
> browser. I'm fairly sure I could get pf to do it, but I'm less
> familiar with iptables.
iptables can do it by looking at the uid of the process requesting the
outbound connection.
Another approach which is supported only in recent, non-SMP Linux kernels is
matching on process command name. It should be possible with that to
transparently proxy every connection from FF (and any other specific
browser), regardless of port.
With a bit of coding, it could also be done very flexibly with userspace
queuing. An iptables rule would route everything to a netlink queue, where a
userspace program could examine it. If it should be transparently proxied,
the netlink client would mark it and, finally, another iptables rule would
implement the transparent proxying of marked packets.
Those are all the ways I can think of. Does pf have others?
> The other option is to configure the browser such that it always
> uses the proxy and the user can't disable it (probably using a
> lockPref statement in /usr/lib/firefox/firefox.cfg).
I think this is actually better than simply transparently proxying port 80
anyway, since it prevents the user from using an anonymizing proxy on a
different port that wouldn't have been transparently proxied. I found a FF
extension that makes doing that very easy, specifically to bypass web
filtering.
Shawn.
_______________________________________________
Ldsoss mailing list
[email protected]
http://lists.ldsoss.org/mailman/listinfo/ldsoss
