On Tue, Jan 31, 2012 at 05:01:49PM -0800, jen montserrat wrote: > You could run Tinyproxy with Dansguardian and then use the filters in > Dansguardian to restrict where the XP host can go via the web, if at all? > Then use IPTABLES to further restrict. > > This is also a configuration from squid to allow windows update that should > be placed at the top of the acl. ...
This is Excellent Stuff, thanks! I had not thought of filtering the windoze box through a proxy, a pretty easy solution, thank you for pointing it out. I assume that a proxy can be compatable with AJAX-style active conversations between servers and browsers. I will look for more tools in the DansGuardian genre. DG may be the best, or there may be other filters that are better suited. I will be whitelisting rather than blacklisting, with cooperative users. The windoze box and the dedicated Alix firewall are the only machines on that LAN segment. That simplifies the task. The proxy/filter tool should run entirely on the firewall, no change to the windoze box beyond telling it to use the proxy (no packets will move otherwise). It would be nice if the tool can automagically train, with a training on/off switch. During training, it accepts (and logs) every outgoing request. With training disabled, the tool shouldn't talk to anybody new. Perhaps Dansguardian can do that. This is a medical office, there will be anatomical words and even "nekkid pichers" going by, so content-based filtering probably won't work. After that, my biggest concern is that one of the half dozen corporate sites this path talks gets 0wned. Typically, though, replication of viral software involves strange connections to other sites to download more of the exploit, and subsequent control, which the tool can easily forbid. The other concern is DNS poisoning, with (for example) update.microsoft.com pointing to a zombied machine in Korea. I use Google's 8.8.8.8 for name service, and Level 3's depreciated 4.2.2.1 as a backup. If they both have DNS problems, we're hosed. I've written a little Perl backend filter for tcpdump. It builds a list of IP /24s that this LAN has talked to. When a new one comes along, perhaps because one of the corporate sites has added some IP addresses for their servers, I log it but don't create a path through the firewall for it until I've checked it out. A few hours delay for some tasks, perhaps, but the Windoze box will only be powered and on the net a few hours per week anyway. BTW, the Windoze box doesn't directly interact with any other machines in the office besides the firewall. The backup drive and the printer are USB, on a two port USB switch. I may use a portion of the backup drive as a mailbox for files. There is no way that the Windoze machine, even if 0wned, can get at the crown jewels on the other LAN, Linux boxes that mostly talk encrypted to each other. Me, paranoid? Thanks again; Keith -- Keith Lofstrom [email protected] Voice (503)-520-1993 KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon" Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
