Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
Junior Member
Join Date: Nov 2009
Posts: 15
#1 (permalink)  
Old 11-01-2009, 06:17 PM
Default Bypass network security packet filters using web proxy

I've noticed that the web proxy can be used to bypass network security packet filters. Consider a gateway with three interfaces, one for the WAN, one for the LAN, and one for GUESTS. If GUESTS are normally not permitted to access web servers on the LAN, but are permitted to access the web proxy (to limit web access), than the GUESTS can make requests through the web proxy to access the LAN.

As a simple measure to prevent this, I've tried using URL Filtering to block hosts on the LAN by URL. But this won't cut it as anyone can register a domain name that does not match my URL filters and resolves to a host on my LAN. I've also tried to add network security packet filter rules that block the Astaro LAN IP from accessing any hosts on the LAN - but it seems that the web proxy is exempt from these rules.

What I'd really like is a way to limit the web proxy by destination IP address or IP range. I know how to do this with Squid (acl to_localnet dst <ip range>; http_access deny to_localnet), but is there a way to do this with Astaro?
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

All times are GMT. The time now is 07:21 PM.

Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.