On Mon, Apr 03, 2006 at 11:11:22AM +0530, Niklaus wrote: > On 4/2/06, Chris Kuethe <[EMAIL PROTECTED]> wrote: > > On 4/2/06, Niklaus <[EMAIL PROTECTED]> wrote: > > > > what problem are you really trying to solve? > > > > really, what problem are you trying to solve? the fact that you have > > untrusted users? > > > > > I understand the tunnelling through ssh part. > > > Can you explain what reverse telnet is . I don't get it. > > Users here on my system are running proxy servers like socks proxy and > downloading stuff which is banned on squid proxy. This is a mail and > devel server, so all of the users have ssh and gcc accounts .They > compile the proxies they get on sourceforge and i really can't kill > all the processes because there are too many users. They are just like > a redirectors. I don't want any user other than root to listen on any > port.
I'd be inclined to both say 'let them' and 'filtering is best done at the firewall' (and yes, that's a separate machine). However, telling pf to block all outgoing traffic is enough. What you want to do - 'stop listeners', though, would require filtering the lo0 device as well. That should work, but is likely to be far from trivial. And, as Chris pointed out below, filtering for listeners doesn't really help. Really, the proper solution is to tell pf to block all outgoing traffic, then whitelist what you need. This shouldn't be too much - you could whitelist Squid by user, and the rest is likely to be simple (domain, possibly ssh, possibly imap(s)/pop(s), smtp if you are feeling lucky). > > assume have an http proxy listening on 127.0.0.1 on your machine. > > assume you've disabled port forwarding in sshd_config so i can't > > tunnel to my proxy. > > i then change my proxy program to i connect back to a listener > > (netcat?) on my remote machine at which point i have a tcp connection > > through which i can forward my http requests to make them look like > > they're coming from your box. > > > > this sort of trick is easy to whack together... probably 10 or 15 > > minutes if you're ripping code straight out of "learning perl" without > > knowing what you're doing. no doubt there's stuff in ports that can be > > used too. > > > > CK
