Re: IPCop for Small-Business Network: Web Proxy Usage

From: Charles Newman (charlesnewman1_at_nospam.comcast.net.do.net.spam.me)
Date: 06/20/05


Date: Sun, 19 Jun 2005 21:01:31 -0700

X-No-Archive: Yes

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndbc2rj.hur.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup comp.security.firewalls, in article
> <G-WdnfDdM4jdeinfRVn-jg@comcast.com>, Charles Newman wrote:
>
> > Well, I recommend the T6212 becuase of the extremly low noise. I use
> >that as the gateway, and when it is the only machine on, you can hardly
> >hear it.
>
> Like most experienced admins, I _DON'T_ recommend such a system, as it's
> a waste of a useful system. Your home firewall only needs a clapped out
> piece of trash that has been thrown away by others because you don't run
> ANY applications on a firewall other than the firewall.
>
> >I have two different programs running HTTP and Socks Servers.
>
> Does Comcast permit that on a residential service?

   For perosnal use, yes. I have to make sure that my
proxy cannot be accessed from thje outside, and
my firewall is configured to make sure that does not
happen. As long as my servers are not accessible
to anyone from the outside, it is OK. You are
allowed to run a home network, and have proxies
to handle the network, as long as you only allow the
machines on your network to be able to access them.
    I am surprised I did not hear from Comcast, however,
when I tried CyBlock. It opened a security hole I did
not know was there, until I looked at the logs. If you
use the CyBlock web filtering program, be sure that
only the machines on your network can access it,
and also only allow CyBlock to go out to ports 80
and 443. Wavecrest needs to fix some serious security
problems with CyBlock. IF you use CyBlock as your
filtering program, better have Tiny Personal Firewall
on the same machine as well, to restrict both incoming
and outgoing access.

>
> >I have AllegroSurf, to handle routing, I have Tiny Personal Firewall, to
> >put the machines behind a firewall,
>
> Get a real operating system - both of those are built in to any *nix
>
> >and becuase I have had problems, in the past, with housekeepers who
> >bring their children with in, filtering, which is done by the old
> >freeware version of WebWasher, which ailso does HTTP filtering.
>
> Sounds like you have substantial security problems you haven't addressed.

    My computer setup is quite secure. Since I replaced
ICS with AllegroSurf, my system is a LOT more
secure.

>
> >As far as controlling where users can go, I am just as secure as any
> >corporate filtering network.
>
> No, but that's because you don't understand how people configure
firewalls.
>
> >You can call my setup a toy firewall, if you like, but it can stop a lot
> >of things the hardware firewalls cannot.
>
> But you've already shown you don't understand even the fundamental
concepts
> of firewalls. How would you know what can or can not be done? You have
zero
> experience with one, and don't even understand basic IP networking.
Should
> you allow any packets of protocol 17 through your firewall? Do you even
> know where to look up the protocol number, much less know what it is, and
> where the protocol number is located in the packet header with respect to
> the destination IP address? What about protocol 6? Is it a good idea to
> block packets with the DNF or ECN bits set? Why?
>

   Tiny Personal Firewall only controls by IP, port
number. and or program running on the machine.



Relevant Pages

  • Re: Content filtering with personal firewall
    ... > Is there a personal firewall which includes content filtering ... > that is being able to set specific words the firewall can act on? ... pay $799 per year to use CyBlock. ... Tiny Personal Firewall on it, and CyBlock, then ...
    (comp.security.firewalls)
  • Re: Best practices: Two nics but have harware firewall
    ... I am not aware of any application layer filtering in WatchGuard products. ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You ... the firewalls at the Asset Network ... The ISA Server 2004 firewall is the ideal firewall for the Asset Network ...
    (microsoft.public.windows.server.sbs)
  • Re: Port 443 Outbound
    ... If you've done what you should with your network then malware has gotten behind your network because *it* has admin access, and it is trivial for malware to *use* that admin access to reconfigure a firewall, whether that is software or hardware. ... Agreed - I would much rather nothing got on the network in the first place and have Trend and auditing set up but surely a device that could monitor 443 outbound would only act as an extra layer of defence? ... No no...an edge device is used for inbound blocking and filtering, but is not an effective security boundary for malware already in your network. ...
    (microsoft.public.windows.server.sbs)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Kids bypassing firewall via web proxy sites
    ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ...
    (comp.security.firewalls)