Hi,

Please note I have added the bellow lines in my squid.conf file, and the
squid is bypassing the authentication but DG as not.

My squid is running on the port 3128 and DG is running on port 80.

If I browsed with the port 80, it will ask for authentication, but if use
the port 3128 it bypasses the authentication.

Squid Configuration.

squid.conf file :


#---------------------- Robosoft Configuration ------------------------------
# --------------------- Needed for bypas the proxy authentication -----------

acl bypassproxyauthsites dstdomain .hp.com
http_access allow bypassproxyauthsites

# ----------------------------------------------------------------------------

acl bypassproxyauthclient src 10.10.1.42/255.255.255.255
http_access allow bypassproxyauthclient

# ----------------------Needed for proxy
authentication-------------------------------------------------------
auth_param basic program /usr/local/squid/libexec/pam_auth
auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
auth_param basic realm "Robosoft Technologies Pvt. Ltd."
auth_param basic credentialsttl 2 hour
acl password proxy_auth REQUIRED
http_access allow password


-----------------------------------------------------------------------------



-----Original Message-----
From: "evaristoquintao" <evaristoquintao@...>
To: dansguardian@yahoogroups.com
Date: Sat, 30 Aug 2008 05:21:06 -0000
Subject: Re: Res: Res: Res: [dansguardian] Bypass authentication.

> The way to do the acl:
>
> Acl Type:   src
>
> Description
> This will look client IP Address.
> Usage  acl aclname src ip-address/netmask.
>
> Example
> 1.This refers to the whole Network with address 172.16.1.0 - acl
> aclname src 172.16.1.0/24
> 2.This refers specific single IP Address - acl aclname src 172.16.1.25/32
> 3.This refers range of IP Addresses from 172.16.1.25-172.16.1.35 - acl
> aclname src 172.16.1.25-172.16.1.35/32
>
>
> --- In dansguardian@yahoogroups.com, Evaristo Oliveira Quintÿffffe3o
> <evaristoquintao@...> wrote:
> >
> > The option to get original ip request. I think.
> >
> >
> >
> > Tag Name forwarded_for
> > Usage forwarded_for on|off
> > Description
> > Current HTTP/1.1 does not provide any standard way of indicating the
> > client address in the request. Since a number of people missed having
> > the originating client address in the request, Squid now adds its own
> > request header called "X-Forwarded-For" which looks like this:
> > X-Forwarded-For: 192.1.2.3|unknown
> > If set, Squid will include your
> > system's IP address or name in the HTTP requests it forwards. By
> > default it looks like this:
> > X-Forwarded-For: 192.1.2.3
> > If you disable this, it will appear as X-Forwarded-For: unknown
> > Default forwarded_foron
> >
> >
> > ----- Mensagem original ----
> > De: Evaristo Oliveira Quintÿffffe3o <evaristoquintao@...>
> > Para: dansguardian@yahoogroups.com
> > Enviadas: Sábado, 30 de Agosto de 2008 2:00:27
> > Assunto: Res: Res: [dansguardian] Bypass authentication.
> >
> >
> > This is more complicated,
> >
> > First you need to make DG pass the original IP to Squid (it was
> discussed a lot of times on group, i don't remenber exactly the option
> on DG or Squid that do this, forward or any think like this, please
> guys help here!).
> >
> > Second: I think that another ACL, now based on source IP, can do
> this. But i never maked it, and i'm not sure if this works. But i will
> in this way.
> >
> > ----- Mensagem original ----
> > De: Ashwin Basagouda Patil <ashwin.patil@ robosoftin. com>
> > Para: dansguardian@ yahoogroups. com; Evaristo Oliveira
> Quintÿffffe3o <evaristoquintao@ yahoo.com. br>
> > Enviadas: Sábado, 30 de Agosto de 2008 0:43:31
> > Assunto: Re: Res: [dansguardian] Bypass authentication.
> >
> > Hi. Good morning.
> >
> > Thanks it works for me for a particular sites or domain. My another
> > requirement is bypass the client IP from authenticating to proxy.
> >
> > There are some applications on which our developers are working, these
> > application internally connect to internet [All the sites] and give the
> > results to them. When this is the case this application has to
> authenticate
> > to squid/proxy to connect to internet. But these application doesn't
> know to
> > ask username and password [No option] hence the applications are not
> working
> > after we implemented this authentication.
> >
> > Hence is it possible to just bypass such systems IP for the squid/proxy
> > authentication. ...? [Only authentication bypass]
> >
> > If it works the I am regretful to you.
> >
> > Thanks
> > Ashwin Patil
> >
> > -----Original Message-----
> > From: Evaristo Oliveira Quintÿffffe3o <evaristoquintao@ yahoo.com. br>
> > To: dansguardian@ yahoogroups. com
> > Date: Thu, 28 Aug 2008 21:15:46 -0700 (PDT)
> > Subject: Res: [dansguardian] Bypass authentication.
> >
> > > First, sorry for my english. I'm brazilian.
> > >
> > > I maked the same question some weekes ago. I use NTLM auth to
> authentic
> > > on Microsft AD.
> > > And Windows Update don't work with auth on port 80.
> > > In squid.conf, create an acl with all sites you need to turn off the
> > > authentication (in my case only windows update sites), allow this acl
> > > from all (or another acl of  IP's). This must be take before the
> > > "auth_required" acl.
> > >
> > > Now, these site don't need auth to run, everyone (including others
> > > programs that don't be browsers and uses port 80, like Windows update
> > > client, and don't know what is authentication )
> > >
> > > Best regards.
> > > Evaristo Quintão
> > >
> > > ### Needed for Windows Update to work ###
> > > acl windowsupdate dstdomain .windowsupdate. microsoft. com
> > > acl windowsupdate dstdomain .update.microsoft. com
> > > acl windowsupdate dstdomain .download.windowsup date.com
> > > acl windowsupdate dstdomain .c.microsoft. com
> > > acl windowsupdate dstdomain .download.microsoft .com
> > > acl windowsupdate dstdomain .windowsmedia. com
> > > http_access allow windowsupdate all
> > > ############ ######### ######### ######### ###
> > >
> > >
> > >
> > >
> > > ----- Mensagem original ----
> > > De: Ashwin Basagouda Patil <ashwin.patil@ robosoftin. com>
> > > Para: dansguardian@ yahoogroups. com
> > > Enviadas: Quinta-feira, 28 de Agosto de 2008 8:33:58
> > > Assunto: [dansguardian] Bypass authentication.
> > >
> > >
> > > How to bypass the squid authentication for the some sites or
> ip...? I am
> > > using the basic auth to
> > > authenticate from LDAP.
> > >
> > > ------------ --------- --------- --------- --------
> > > Robosoft Technologies - Come home to Technology
> > >
> > > Disclaimer: This email may contain confidential material. If you
> were not
> > > an intended recipient, please notify the sender and delete all
> copies.
> > > Emails to and from our network may be logged and monitored. This
> email
> > > and its attachments are scanned for virus by our scanners and are
> > > believed to be safe. However, no warranty is given that this email is
> > > free of malicious content or virus.
> > >
> > >
> > >
> > >
> > >       Novos endereços, o Yahoo! que você conhece. Crie um email
> novo com
> > > a sua cara @ymail.com ou @rocketmail. com.
> > > http://br.new. mail.yahoo. com/addresses
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > >
> >
> > ------------ --------- --------- --------- --------
> > Robosoft Technologies - Come home to Technology
> >
> > Disclaimer: This email may contain confidential material. If you
> were not an intended recipient, please notify the sender and delete
> all copies. Emails to and from our network may be logged and
> monitored. This email and its attachments are scanned for virus by our
> scanners and are believed to be safe. However, no warranty is given
> that this email is free of malicious content or virus.
> >
> > Novos endereços, o Yahoo! que você conhece. Crie um email novo com a
> sua cara @ymail.com ou @rocketmail. com.
> > http://br.new. mail.yahoo. com/addresses
> >
> > [Non-text portions of this message have been removed]
> >
> >
> >
> >
> >       Novos endereços, o Yahoo! que você conhece. Crie um email novo
> com a sua cara @ymail.com ou @rocketmail.com.
> > http://br.new.mail.yahoo.com/addresses
> >
> > [Non-text portions of this message have been removed]
> >
>
>
>


-----------------------------------------------
Robosoft Technologies - Come home to Technology

Disclaimer: This email may contain confidential material. If you were not an
intended recipient, please notify the sender and delete all copies. Emails to
and from our network may be logged and monitored. This email and its attachments
are scanned for virus by our scanners and are believed to be safe. However, no
warranty is given that this email is free of malicious content or virus.

On Fri, Aug 29, 2008 at 7:49 PM, Chuck Kollars <ckollars9@...> wrote:
> This is my understanding of this situation (I haven't actually done
> this myself and hope someone wiser jumps in if I'm incorrect:-). [Note
> the easily overlooked difference between USERname and GROUPname may
> explain some apparent differences.]
>
> Configurations using the AD (or Samba knockoff) _user_name to place
> different users in different filter groups are possible. Squid obtains
> the information and includes it in an NTLM structure that's in the
> HTTP Authorization: header (along with the tag 'NTLM'). DansGuardian
> then "sniffs" this information to get its own copy, which it uses to
> assign different connections to different filter groups.
>
> However configurations using an AD _group_name are not straightforward
> because the information never gets to DansGuardian at all. Although
> _group_name is available from AD, there's no place in the NTLM
> structure for Squid to put it, so it never gets into the HTTP
> response. And since it's not there, DansGuardian can't "sniff" it out.
> (Perhaps there's no place for it in the NTLM structure because in AD
> any one user can be a member of an unspecified number of groups, so it
> isn't clear what's meant by "THE group" of the user.)
>
> So one must "duplicate" the AD group membership information in
> DansGuardian. This can (and probably should to eliminate transcription
> errors:-) be automated by having `cron` regularly run a script that
> pulls the information from AD, writes a fresh copy of the DansGuardian
> "filtergroupslist" file, and restarts DansGuardian. Such a script
> could be run every night (or more often in some environments).
>
> thanks! -Chuck Kollars
>
> --- In dansguardian@yahoogroups.com, "Marcos Dutra" <macdutra@...> wrote:
>>
>> Sorry Allan,
>>
>> I've search in newsgroup about dansguardian and ntlm and I don't have
>> any example to do it. In newsgroup has many comments of this, but how
>> do it no. The only thing I know to do is put a group of ad in
>> dansguardian's config, but now how it know user is a member of group I
>> don't know and is not have any document.
>> Sorry but configuration of dansguardian is less obscure for me using
>> ntlm, without ntlm is perfect documentation is ok.
>>
>> Marcos
>>
>> 2008/8/29 Allan Cassaro <allan.cassaro@...>:
>> > On Fri, Aug 29, 2008 at 9:50 AM, Marcos Dutra <macdutra@...> wrote:
>> >> Hi Evaristo,
>> >>
>> >> I don't understand how I do it, I've search in google but
>> >> dansguardian's documentation for to do this is absolutely zero. I
>> >> understand how I put the groups on the filter but how dansguardian
>> >> know that user is in the group gpo.video for example? I need use any
>> >> filter to know this or I use wbinfo in squid? I'm confused.
>> >> I would like talk with you in PVT is possible?
>> >>
>> >> Thanks for help.
>> >> Marcos
>> >>
>> >> 2008/8/29 Evaristo Oliveira Quintÿffffe3o <evaristoquintao@...>:
>> >>
>> >>> Configure the dansguardianconf1.conf to block all rquests, (i
> think to
>> >>> change to 0 or 1 on filter type or anything like this on
>> >>> dansguardianconf1.conf).
>> >>> Configure another group (2) to surf.
>> >>> In filtergroupslist, insert gpo.video=filter2.
>> >>>
>> >>> You need some extra lines on squid, conf to make squid work with
> groups,
>> >>> but
>> >>> there are a lot of examples on net. I think that is not your
> problem,
>> >>> only
>> >>> how do config in DG.
>> >>>
>> >>> []s.
>> >>> Evaristo Quintão.
>> >>>
>> >>> ----- Mensagem original ----
>> >>> De: Marcos Dutra <macdutra@...>
>> >>> Para: dansguardian@yahoogroups.com
>> >>> Enviadas: Segunda-feira, 25 de Agosto de 2008 14:26:05
>> >>> Assunto: [dansguardian] Dansguardian and ntlm group
>> >>>
>> >>> Hi,
>> >>>
>> >>> I would like put my AD groups in dansguardian without create any
>> >>> filter by usersfile, can I?
>> >>> Ex. I have in my AD onde group called gpo.video
>> >>> I would like block the users not joined in this group, how I do it?
>> >>> Has any script to do this?
>> >>>
>> >>> If anybody have any example to do this, is helpful for me
>> >>>
>> >>> Thanks
>> >>> Marcos
>> >
>> > Wow!!! I'm sorry, but: "dansguardian's documentation for to do this is
>> > absolutely zero" this is not true. This is a very, very (very, very,
>> > very...) discussed question...
>> >
>> > Look at:
>> >

Ok.. Well first my point of view:
Things well discussed here (and documented):
  - DG doesn't do the authentication, never (but ident). Only "sniffs"
the auth header from Squid.
  - Squid doesn't use the group info and, more important, don't put any
information about groups in header, so, DG can't get any information
from any auth mechanism.

But... DG can work with groups (this is the source of confusion,
right?), but this association is internal. DG look into one file
(filtergrouplist) to "put an user into a group" . But, again, this is
a "internal" group, not gotten from any authentication mechanism (DG,
LDAP, PAM, etc).

So, if you need to associate the username with a group you must write
some type of script to get this information (from AD, LDAP or other)
and write it into the filtergroup file.

Regards.

I just realised that my main dansguardian process has spawned 40 child
dansguardian processes. Is this normal?

That guide assumes the users are all using the linux box, not that the
linux box is acting as a router.

This is how I have mine setup, where 192.168.1.254 is your servers IP.

nat section:
-A PREROUTING -d ! 192.168.1.254 -i eth0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 8080
-A OUTPUT -d ! 127.0.0.1 -p tcp -m tcp --dport 80 -m owner !
--uid-owner proxy -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth1 -j MASQUERADE

--- In dansguardian@yahoogroups.com, "steve_2000_xr650l"
<steve.wilson@...> wrote:
>
> Hello,
> I hope someone here can help me.  I've been working on this for weeks
> but can't figure out iptables.  I have a linux PC (Fedora) that is
> currently serving as my home network gateway to the internet.
> It is forwarding internet traffic, but is not redirecting the web
> traffic through squid or dansguardian.
>
> I tried to follow this guide, but failed:
> http://www.linux.com/articles/113733
>
> I know that Squid and Dansguardian are working correctly, because a
> local browser on the linux gateway IS being filtered.  Pass-through
> traffic IS NOT.
> I cannot figure out what's wrong with my iptables rules.  My
> configuration is below.
> (eth0 = internal interface)
> (eth1 = public interface)
>
> [root@server]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.1.1 on Tue Aug 19 20:17:55 2008
> *filter
> :INPUT ACCEPT [0:0]
> #:OUTPUT ACCEPT [83:11308]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 8887:8889 -j ACCEPT
> -A INPUT -i eth1 -m state --state INVALID,NEW -j DROP
> -A INPUT -j LOG
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Tue Aug 19 20:17:55 2008
> # Generated by iptables-save v1.4.1.1 on Tue Aug 19 20:17:55 2008
> *nat
> :PREROUTING ACCEPT [5:1942]
> :OUTPUT ACCEPT [83:11308]
> :POSTROUTING ACCEPT [1:172]
> -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp -m owner ! --uid-owner squid --dport 80 -j REDIRECT
> --to-ports 8080
> -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
> -A POSTROUTING -o eth1 -j MASQUERADE
> COMMIT
> # Completed on Tue Aug 19 20:17:55 2008
>
> I know, it's messed up.  It would be easier to start over with a clean
> slate.
> Help?
> -Steve in Phx.
>

On Mon, Sep 1, 2008 at 11:50 PM, jaredw_1986 <jaredwiltshire@...> wrote:
> I just realised that my main dansguardian process has spawned 40 child
> dansguardian processes. Is this normal?
>

Yes, and it is configurable. Look inside dansguardian.conf.

Regards.

parem de me mandar esses tipos de mensagens seus charopes.

--- Em ter, 2/9/08, Allan Cassaro <allan.cassaro@...> escreveu:

De: Allan Cassaro <allan.cassaro@...>
Assunto: Re: [dansguardian] Number of processes
Para: dansguardian@yahoogroups.com
Data: Terça-feira, 2 de Setembro de 2008, 8:54






On Mon, Sep 1, 2008 at 11:50 PM, jaredw_1986 <jaredwiltshire@ gmail.com> wrote:
> I just realised that my main dansguardian process has spawned 40 child
> dansguardian processes. Is this normal?
>

Yes, and it is configurable. Look inside dansguardian. conf.

Regards.















       Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua
cara @ymail.com ou @rocketmail.com.
http://br.new.mail.yahoo.com/addresses

[Non-text portions of this message have been removed]

Hi,
I see that every now and then, there is this new release of
dansguardian which fixes some old bugs and we are obliged to stay on
some older versions to avoid downtime on live servers if we need to
upgrade.
I was wondering what is the best way to upgrade from an older version
of dansguardian ( let's say 2.9.9.3 ) to the latest version release (
in this case 2.9.9.7 ) on a live environment.

Is it possible to do it with minimal impact or zero downtime without
going through the process of doing the configuration again for the
different conf file ?

Thanks.
Marc

I am new to DG and Squid, please forgive the dumb questions. One of my
kids has found out that he cant enter the name of an external web
proxy and then from there get to all the places I didnt want him to go.

If I knew the name of all of these I guess I could block them, but I
dont have a clue where to start.

Any ideas?

You need a blacklist that includes proxy servers. The blacklist the
dansguardian website recommends includes lists of web proxies.

Thomas

-----Original Message-----
From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
Behalf Of markworsnop
Sent: Wednesday, September 03, 2008 9:35 AM
To: dansguardian@yahoogroups.com
Subject: [dansguardian] Bypass Squid and DG using outside web proxy?


I am new to DG and Squid, please forgive the dumb questions. One of my
kids has found out that he cant enter the name of an external web
proxy and then from there get to all the places I didnt want him to go.

If I knew the name of all of these I guess I could block them, but I
dont have a clue where to start.

Any ideas?

> I am new to DG and Squid, please forgive the dumb questions.
> One of my kids has found out that he cant enter the name of an
> external web proxy and then from there get to all the places
> I didnt want him to go.
>
> If I knew the name of all of these I guess I could block them,
> but I dont have a clue where to start.

One of the big advantages of a "content filter" like DansGuardian is
whatever you've configured as "bad stuff" is blocked no matter how
somebody gets there. Say for example you've enabled blocking of the
'gambling' category and the goal is a page with the phrases "video
poker", "virtual casino", and "card room" all over it.

If your user tries to browse directly to that page, DansGuardian will
block it. And if your user tries to browse indirectly to that page
through an external proxy, DansGuardian will block it just the same.
Undesirable content is blocked no matter how users get there. This is
one of the ways a "content filter" really shines.

Of course external proxies are such a huge problem that using more
than one method in parallel to discourage them is an excellent idea.
Enable/include the "proxies" category in 'weightedphraselist'. And by
all means get a good blacklist subscription too. (Blacklists are not
small; any good one lists at least 1,000,000 sites in various
categories! Of course many categories should _not_ be blocked in most
cases. Just focusing on external proxy sites, there are well over
10,000; trying to find and block each one individually yourself would
be hopeless [that kind of drudge work is what computers are for:-].)

(Some kinds of proxies are harder to block than others, and not all
kinds can be blocked effectively by DansGuardian in all environments.
But let's pick off the low-hanging fruit first before worrying too
much about special cases. In the meantime, please tell us do you have
a "transparent-intercepting" or an "explicit-proxy" configuration? If
that's gobbledygook to you, just look at one of your browsers and tell
us whether or not there are proxy [not the same as external proxies
despite being the same word:-] settings in the browser. Also please
tell us is this [as it sounds like] a home system, and how old are
your kids? If it turns out after fixing the basic stuff that some
special handling is still necessary, it should be handled off-list to
avoid educating the eavesdroppers.)

DansGuardian is rather configuration-heavy; it's default action when
installed but not yet configured is to block virtually nothing. Your
installation instructions should have mentioned this and pointed out
the need for separately obtaining blacklists; if not, you're pretty
much unprotected until you attend to the DansGuardian configuration.
Are you reasonably comfortable with directly editing text files under
Linux, or do you need a GUI to manage DansGuardian?

thanks! -Chuck Kollars

One measure I use: I forward the common proxy ports to dansguardian anyway.
The users will research the proxies on other computers and come back
with IP addresses and ports.
I watch the logs, and when I see a new port get used, I add that to my
pf.conf file.
I use PF on this particular box, it could be any other firewall application.


Thomas Sewell wrote:
>
> You need a blacklist that includes proxy servers. The blacklist the
> dansguardian website recommends includes lists of web proxies.
>
> Thomas
>
> -----Original Message-----
> From: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> [mailto:dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>] On
> Behalf Of markworsnop
> Sent: Wednesday, September 03, 2008 9:35 AM
> To: dansguardian@yahoogroups.com <mailto:dansguardian%40yahoogroups.com>
> Subject: [dansguardian] Bypass Squid and DG using outside web proxy?
>
> I am new to DG and Squid, please forgive the dumb questions. One of my
> kids has found out that he cant enter the name of an external web
> proxy and then from there get to all the places I didnt want him to go.
>
> If I knew the name of all of these I guess I could block them, but I
> dont have a clue where to start.
>
> Any ideas?
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.169 / Virus Database: 270.6.15/1649 - Release Date: 9/3/2008 7:15
AM
>
>

   ----------


   ----------


No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57
AM


[Non-text portions of this message have been removed]

Do you have a list of ports that you've seen in use as proxies that you'd be
willing to share?



Thanks,



Dave



From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
Behalf Of Kelly Clark
Sent: Thursday, September 04, 2008 3:04 PM
To: dansguardian@yahoogroups.com
Subject: Re: [dansguardian] Bypass Squid and DG using outside web proxy?



One measure I use: I forward the common proxy ports to dansguardian anyway.
The users will research the proxies on other computers and come back
with IP addresses and ports.
I watch the logs, and when I see a new port get used, I add that to my
pf.conf file.
I use PF on this particular box, it could be any other firewall application.

Thomas Sewell wrote:
>
> You need a blacklist that includes proxy servers. The blacklist the
> dansguardian website recommends includes lists of web proxies.
>
> Thomas
>
> -----Original Message-----
> From: dansguardian@yahoogroups.com <mailto:dansguardian%40yahoogroups.com>

> <mailto:dansguardian%40yahoogroups.com>
> [mailto:dansguardian@yahoogroups.com
<mailto:dansguardian%40yahoogroups.com>
> <mailto:dansguardian%40yahoogroups.com>] On
> Behalf Of markworsnop
> Sent: Wednesday, September 03, 2008 9:35 AM
> To: dansguardian@yahoogroups.com <mailto:dansguardian%40yahoogroups.com>
<mailto:dansguardian%40yahoogroups.com>
> Subject: [dansguardian] Bypass Squid and DG using outside web proxy?
>
> I am new to DG and Squid, please forgive the dumb questions. One of my
> kids has found out that he cant enter the name of an external web
> proxy and then from there get to all the places I didnt want him to go.
>
> If I knew the name of all of these I guess I could block them, but I
> dont have a clue where to start.
>
> Any ideas?
>
>
> ----------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.169 / Virus Database: 270.6.15/1649 - Release Date: 9/3/2008
7:15 AM
>
>

----------

----------

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008
6:57 AM

[Non-text portions of this message have been removed]





[Non-text portions of this message have been removed]

Dave,
I'm sorry I do not have a list anymore. I  hammered the problem like this:
444
any ports from 1024:1862
and
any ports from 6588:65000
  I have not been watching that server anymore, I am off the staff there.
Dave Burkholder wrote:
>
> Do you have a list of ports that you've seen in use as proxies that
> you'd be
> willing to share?
>
> Thanks,
>
> Dave
>
> From: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> [mailto:dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>] On
> Behalf Of Kelly Clark
> Sent: Thursday, September 04, 2008 3:04 PM
> To: dansguardian@yahoogroups.com <mailto:dansguardian%40yahoogroups.com>
> Subject: Re: [dansguardian] Bypass Squid and DG using outside web proxy?
>
> One measure I use: I forward the common proxy ports to dansguardian
> anyway.
> The users will research the proxies on other computers and come back
> with IP addresses and ports.
> I watch the logs, and when I see a new port get used, I add that to my
> pf.conf file.
> I use PF on this particular box, it could be any other firewall
> application.
>
> Thomas Sewell wrote:
> >
> > You need a blacklist that includes proxy servers. The blacklist the
> > dansguardian website recommends includes lists of web proxies.
> >
> > Thomas
> >
> > -----Original Message-----
> > From: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> <mailto:dansguardian%40yahoogroups.com>
>
> > <mailto:dansguardian%40yahoogroups.com>
> > [mailto:dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>] On
> > Behalf Of markworsnop
> > Sent: Wednesday, September 03, 2008 9:35 AM
> > To: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> <mailto:dansguardian%40yahoogroups.com>
> <mailto:dansguardian%40yahoogroups.com>
> > Subject: [dansguardian] Bypass Squid and DG using outside web proxy?
> >
> > I am new to DG and Squid, please forgive the dumb questions. One of my
> > kids has found out that he cant enter the name of an external web
> > proxy and then from there get to all the places I didnt want him to go.
> >
> > If I knew the name of all of these I guess I could block them, but I
> > dont have a clue where to start.
> >
> > Any ideas?
> >
> >
> > ----------------------------------------------------------
> >
> >
> > No virus found in this incoming message.
> > Checked by AVG - http://www.avg.com <http://www.avg.com>
> > Version: 8.0.169 / Virus Database: 270.6.15/1649 - Release Date:
> 9/3/2008
> 7:15 AM
> >
> >
>
> ----------
>
> ----------
>
> No virus found in this outgoing message.
> Checked by AVG - http://www.avg.com <http://www.avg.com>
> Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008
> 6:57 AM
>
> [Non-text portions of this message have been removed]
>
> [Non-text portions of this message have been removed]
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57
AM
>
>

   ----------


   ----------


No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57
AM


[Non-text portions of this message have been removed]

What a great idea!  How did you forward the ports?  Did you use iptables
rules?  If so, can you share that syntax?
-Steve in Phx.

Kelly Clark wrote:
>
> One measure I use: I forward the common proxy ports to dansguardian
> anyway.
> The users will research the proxies on other computers and come back
> with IP addresses and ports.
> I watch the logs, and when I see a new port get used, I add that to my
> pf.conf file.
> I use PF on this particular box, it could be any other firewall
> application.
>
> Thomas Sewell wrote:
> >
> > You need a blacklist that includes proxy servers. The blacklist the
> > dansguardian website recommends includes lists of web proxies.
> >
> > Thomas
> >
> > -----Original Message-----
> > From: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>
> > [mailto:dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>] On
> > Behalf Of markworsnop
> > Sent: Wednesday, September 03, 2008 9:35 AM
> > To: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> <mailto:dansguardian%40yahoogroups.com>
> > Subject: [dansguardian] Bypass Squid and DG using outside web proxy?
> >
> > I am new to DG and Squid, please forgive the dumb questions. One of my
> > kids has found out that he cant enter the name of an external web
> > proxy and then from there get to all the places I didnt want him to go.
> >
> > If I knew the name of all of these I guess I could block them, but I
> > dont have a clue where to start.
> >
> > Any ideas?
> >
> >
> > ----------------------------------------------------------
> >
> >
> > No virus found in this incoming message.
> > Checked by AVG - http://www.avg.com <http://www.avg.com>
> > Version: 8.0.169 / Virus Database: 270.6.15/1649 - Release Date:
> 9/3/2008 7:15 AM
> >
> >
>
> ----------
>
> ----------
>
> No virus found in this outgoing message.
> Checked by AVG - http://www.avg.com <http://www.avg.com>
> Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date:
> 9/4/2008 6:57 AM
>
> [Non-text portions of this message have been removed]
>
>

hi all,

i use squid with ntlm auth against active directory + dansguardian and
it works very well except when i enter some bank web sites which uses
javascript. for instance when i enter www.akbank.com with my bank
account, there is no problem. but when i login www.garanti.com.tr,
while i am doing some bank operations, connection gets too slow and
sometimes i get "page can not be displayed" messages. but when i bypass
dansguardian and use squid directly connection is so good. what can be
the problem?. do you have any suggestion regarding this problem?

I found the EXE in the bannedextensionlist and commented it out with a #
I stopped DG and then restarted it but the blocked EXE message still
comes up.  I also checked the blocked MIME list and do not see
anything in there what would block the EXE.

I then removed everything from the bannedmime and the bannedextension
so those files are now empty.

restarted DG again and still no luck.

I noticed that microsoft.com has an exception URL so I tried that too
by downloading a file from microsoft, still no go.

I also did a find to see if there was another directory that had the
config files, but there is not.

I am running 2.9.9.7

Ideas?

No, I use PF on this box. You'll have to convert to iptables syntax.
Example of a port range using PF
rdr on $int_if inet proto tcp from any to any port 6588:65000 ->
127.0.0.1 port 8080

The tricky part is keeping things like windows update and other
protocols going, since many things will not pass through squid unharmed.
It has been trial and error.

Steve Wilson wrote:
>
> What a great idea! How did you forward the ports? Did you use iptables
> rules? If so, can you share that syntax?
> -Steve in Phx.
>
> Kelly Clark wrote:
> >
> > One measure I use: I forward the common proxy ports to dansguardian
> > anyway.
> > The users will research the proxies on other computers and come back
> > with IP addresses and ports.
> > I watch the logs, and when I see a new port get used, I add that to my
> > pf.conf file.
> > I use PF on this particular box, it could be any other firewall
> > application.
> >
> > Thomas Sewell wrote:
> > >
> > > You need a blacklist that includes proxy servers. The blacklist the
> > > dansguardian website recommends includes lists of web proxies.
> > >
> > > Thomas
> > >
> > > -----Original Message-----
> > > From: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>
> > > <mailto:dansguardian%40yahoogroups.com>
> > > [mailto:dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>
> > > <mailto:dansguardian%40yahoogroups.com>] On
> > > Behalf Of markworsnop
> > > Sent: Wednesday, September 03, 2008 9:35 AM
> > > To: dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>
> > <mailto:dansguardian%40yahoogroups.com>
> > > Subject: [dansguardian] Bypass Squid and DG using outside web proxy?
> > >
> > > I am new to DG and Squid, please forgive the dumb questions. One of my
> > > kids has found out that he cant enter the name of an external web
> > > proxy and then from there get to all the places I didnt want him
> to go.
> > >
> > > If I knew the name of all of these I guess I could block them, but I
> > > dont have a clue where to start.
> > >
> > > Any ideas?
> > >
> > >
> > > ----------------------------------------------------------
> > >
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG - http://www.avg.com <http://www.avg.com>
> <http://www.avg.com <http://www.avg.com>>
> > > Version: 8.0.169 / Virus Database: 270.6.15/1649 - Release Date:
> > 9/3/2008 7:15 AM
> > >
> > >
> >
> > ----------
> >
> > ----------
> >
> > No virus found in this outgoing message.
> > Checked by AVG - http://www.avg.com <http://www.avg.com>
> <http://www.avg.com <http://www.avg.com>>
> > Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date:
> > 9/4/2008 6:57 AM
> >
> > [Non-text portions of this message have been removed]
> >
> >
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57
AM
>
>

   ----------


   ----------


No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.16/1654 - Release Date: 9/5/2008 1:24
PM


[Non-text portions of this message have been removed]

Hello all,

I've run into a problem on a box where I'm getting the following error:

Auth plugin returned error code: -3

This is on DansGuardian 2.9.9.5
Built with:  '--prefix=/usr' '--sysconfdir=/etc' '--datarootdir=/etc'
'--docdir=/doc' '--mandir=/usr/man'
'--with-logdir=/var/log/dansguardian' '--with-proxyuser=dansguardian'
'--with-proxygroup=dansguardian' '--program-suffix=-av'
'--disable-dependency-tracking' '--enable-clamav' '--enable-fancydm'
'--enable-trickledm' '--enable-ntlm' '--enable-email'

I've only enabled ident as an auth plugin and am using both the older
identd client (which is reporting usernames properly) as well as
retinascan (which is reporting all users as "system" for some reason).

Any ideas?


Regards,

Fernand Jonker
Phrase List Maintainer

If you have any feedback on existing lists, have any new lists or
would like to volunteer to create new lists, please send me an email
at the following address: phrasemaster@...

For a DG Documentation project see http://contentfilter.futuragts.com/wiki/
For the latest phraselists see http://contentfilter.futuragts.com/phraselists/
______________________________________________________

Futura Graphic Technical Support
Web Site: http://www.futuragts.com
PC and Network Consultant

I went another step and remove the bannedextension all together and
then DG would not start.  So I assume that that must be the correct file.

I now have the file back in there again, but its empty.  This is weird....

On Mon, Sep 1, 2008 at 9:24 AM, Allan Cassaro <allan.cassaro@...> wrote:
>
> On Fri, Aug 29, 2008 at 7:49 PM, Chuck Kollars <ckollars9@...> wrote:
> > This is my understanding of this situation (I haven't actually done
> > this myself and hope someone wiser jumps in if I'm incorrect:-). [Note
> > the easily overlooked difference between USERname and GROUPname may
> > explain some apparent differences.]
> >
> > Configurations using the AD (or Samba knockoff) _user_name to place
> > different users in different filter groups are possible. Squid obtains
> > the information and includes it in an NTLM structure that's in the
> > HTTP Authorization: header (along with the tag 'NTLM'). DansGuardian
> > then "sniffs" this information to get its own copy, which it uses to
> > assign different connections to different filter groups.
> >
> > However configurations using an AD _group_name are not straightforward
> > because the information never gets to DansGuardian at all. Although
> > _group_name is available from AD, there's no place in the NTLM
> > structure for Squid to put it, so it never gets into the HTTP
> > response. And since it's not there, DansGuardian can't "sniff" it out.
> > (Perhaps there's no place for it in the NTLM structure because in AD
> > any one user can be a member of an unspecified number of groups, so it
> > isn't clear what's meant by "THE group" of the user.)
> >
> > So one must "duplicate" the AD group membership information in
> > DansGuardian. This can (and probably should to eliminate transcription
> > errors:-) be automated by having `cron` regularly run a script that
> > pulls the information from AD, writes a fresh copy of the DansGuardian
> > "filtergroupslist" file, and restarts DansGuardian. Such a script
> > could be run every night (or more often in some environments).
>
>
>
> So, if you need to associate the username with a group you must write
> some type of script to get this information (from AD, LDAP or other)
> and write it into the filtergroup file.

One such script may be found here:
http://dansguardian.org/downloads/chrisnighswonger/usermap

Regards,

--
Christopher Nighswonger
Faculty Member
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
www.fbcradio.org

On Fri, Jun 27, 2008 at 12:30 AM, tanveer_t2002 <tanveer_t2002@...> wrote:
> Dear All,
>
> I have setup dasnguardian 2.9 with squid proxy with ntlm
> authentication and can view AD username in both squid and DG log with
> all your help I get from here.
>
> Now I want to know one thing, is it possible to restrict an AD group
> which we get from the output of 'wbinfo -g' like if 50 users are in a
> group in AD, I want to restrict based on that group name of AD in DG?

Here is one such script:

http://dansguardian.org/downloads/chrisnighswonger/usermap

Regards,


--
Christopher Nighswonger
Faculty Member
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
www.fbcradio.org

> I found the EXE in the bannedextensionlist and commented it out
> with a # I stopped DG and then restarted it but the blocked EXE
> message still comes up.  ...

Looking for hidden implicit assumptions leads to this dumb question:
are we sure this problem is related to DansGuardian?

What happens when you arrange to have a user workstation access the
Internet directly (rather than through the DansGuardian filter) and
try to fetch an EXE file? Can you do a screen capture of the blocked
EXE message so folks can see exactly what it looks like? Is it easy to
try it with a different browser and see if the same message still appears?

thanks! -Chuck Kollars

This is a brand new fresh install.  So far I have not found anything
that would do this.  Maybe I need to wipe the DG install?  Is there a
script for that?

There is only one bannedextensions other than the one in the tar file.
This file is empty.  If I remove the file, then DG will not start so I
am guessing I am messing with the correct file.

Did a grep:

> grep extension *
dansguardian.conf:# and extensions it should manage.
dansguardianf1.conf:# Only filter groups with a mode of 1 need to
define phrase,
  URL, site, extension,
dansguardianf1.conf:# exceptionextensionlist or exceptionmimetypelist.
dansguardianf1.conf:exceptionextensionlist =
'/usr/local/etc/dansguardian/lists/exceptionextensionlist'
dansguardianf1.conf:bannedextensionlist =
'/usr/local/etc/dansguardian/lists/bannedextensionlist'
dansguardianf1.conf:# MIME type & extension blocks for particular
domains & URLs
  (trusted download sites).

The web that comes up says DG
  The banner at the top says Access has been Denied!

The text:

Access to the page:

http://download.microsoft.com/download/9/9/2/992ba2c9-21fe-4f7c-98dc-b830c14963a\
6/IE8-WindowsVista-x86-ENU.exe


... has been denied for the following reason:

Banned extension: .exe

Categories:

Banned extension

You are seeing this error because what you attempted to access appears
to contain, or is labeled as containing, material that has been deemed
inappropriate.

If you have any queries contact your ICT Coordinator or Network Manager.

Powered by DansGuardian

Does anyone have any advice regarding the best way to block
unrestricted internet access using a software application that uses a
range of external proxies, with changeable IP addresses, and  SSL
tunnelling?

David Sharp

Dears
      I upgrade my server with Squid-3 STABLES8 & DG 2.9.9.7 and all
things works good but I discovered that I cannot see any IPs in squid
logs I just see the loopback ip 192.168.0.1,Can any body help me I
need to see the PC IPs ?

I've reached that point where I'm sinking too much time into one task
and I'm in desperate need of help, thanks to all who read and/or
respond.

I need to set up a second filter group just to allow access to ebay
and paypal. I've been trying to follow a guide at "http://
contentfilter.futuragts.com/wiki/index.php?title=Group_Configuration"
but thus far have had no success with this.

Can anyone point me to a more detailed how-to? Or perhaps even walk
me through parts of it?

I'm unsure what information about my setup is relevant, so ask for
specifics and I'll provide them as soon as I possibly can.

Thanks thanks thanks,
Stephen

If you want to let your users of a certain filter access eBay and Paypal add
these sites on exceptionsitelist of that filter.

If you want to let the users of a certain filter access only these sites,
make a Blanket Block adding ** on bannedsitelist and add eBay and Paypal to
the exceptionsitelist.

Thiago Campos.
Manaus - Amazonas - Brazil.


On Mon, Sep 8, 2008 at 4:19 PM, seringl <sringl@...> wrote:

>   I've reached that point where I'm sinking too much time into one task
> and I'm in desperate need of help, thanks to all who read and/or
> respond.
>
> I need to set up a second filter group just to allow access to ebay
> and paypal. I've been trying to follow a guide at "http://
> contentfilter.futuragts.com/wiki/index.php?title=Group_Configuration"
> but thus far have had no success with this.
>
> Can anyone point me to a more detailed how-to? Or perhaps even walk
> me through parts of it?
>
> I'm unsure what information about my setup is relevant, so ask for
> specifics and I'll provide them as soon as I possibly can.
>
> Thanks thanks thanks,
> Stephen
>
>
>


[Non-text portions of this message have been removed]

HOLA KELLY




To: dansguardian@...: signbird2@...: Fri, 5
Sep 2008 09:31:07 -0700Subject: Re: [dansguardian] Bypass Squid and DG using
outside web proxy?




No, I use PF on this box. You'll have to convert to iptables syntax.Example of a
port range using PFrdr on $int_if inet proto tcp from any to any port 6588:65000
-> 127.0.0.1 port 8080The tricky part is keeping things like windows update and
other protocols going, since many things will not pass through squid unharmed.It
has been trial and error.Steve Wilson wrote:>> What a great idea! How did you
forward the ports? Did you use iptables> rules? If so, can you share that
syntax?> -Steve in Phx.>> Kelly Clark wrote:> >> > One measure I use: I forward
the common proxy ports to dansguardian> > anyway.> > The users will research the
proxies on other computers and come back> > with IP addresses and ports.> > I
watch the logs, and when I see a new port get used, I add that to my> > pf.conf
file.> > I use PF on this particular box, it could be any other firewall> >
application.> >> > Thomas Sewell wrote:> > >> > > You need a blacklist that
includes proxy servers. The blacklist the> > > dansguardian website recommends
includes lists of web proxies.> > >> > > Thomas> > >> > > -----Original
Message-----> > > From: dansguardian@yahoogroups.com >
<mailto:dansguardian%40yahoogroups.com>> >
<mailto:dansguardian%40yahoogroups.com>> > >
<mailto:dansguardian%40yahoogroups.com>> > >
[mailto:dansguardian@yahoogroups.com > <mailto:dansguardian%40yahoogroups.com>>
> <mailto:dansguardian%40yahoogroups.com>> > >
<mailto:dansguardian%40yahoogroups.com>] On> > > Behalf Of markworsnop> > >
Sent: Wednesday, September 03, 2008 9:35 AM> > > To:
dansguardian@yahoogroups.com > <mailto:dansguardian%40yahoogroups.com>> >
<mailto:dansguardian%40yahoogroups.com>> >
<mailto:dansguardian%40yahoogroups.com>> > > Subject: [dansguardian] Bypass
Squid and DG using outside web proxy?> > >> > > I am new to DG and Squid, please
forgive the dumb questions. One of my> > > kids has found out that he cant enter
the name of an external web> > > proxy and then from there get to all the places
I didnt want him > to go.> > >> > > If I knew the name of all of these I guess I
could block them, but I> > > dont have a clue where to start.> > >> > > Any
ideas?> > >> > >> > >
----------------------------------------------------------> > >> > >> > > No
virus found in this incoming message.> > > Checked by AVG - http://www.avg.com
<http://www.avg.com> > <http://www.avg.com <http://www.avg.com>>> > > Version:
8.0.169 / Virus Database: 270.6.15/1649 - Release Date:> > 9/3/2008 7:15 AM> >
>> > >> >> > ----------> >> > ----------> >> > No virus found in this outgoing
message.> > Checked by AVG - http://www.avg.com <http://www.avg.com> >
<http://www.avg.com <http://www.avg.com>>> > Version: 8.0.169 / Virus Database:
270.6.16/1651 - Release Date:> > 9/4/2008 6:57 AM> >> > [Non-text portions of
this message have been removed]> >> >>> >
---------------------------------------------------------->>> No virus found in
this incoming message.> Checked by AVG - http://www.avg.com > Version: 8.0.169 /
Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57 AM>>
--------------------No virus found in this outgoing message.Checked by AVG -
http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1654 - Release
Date: 9/5/2008 1:24 PM[Non-text portions of this message have been removed]





_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx

[Non-text portions of this message have been removed]

> Does anyone have any advice regarding the best way to block
> unrestricted internet access using a software application that
> uses a range of external proxies, with changeable IP addresses,
> and  SSL tunnelling?

I've been waiting for someone else to offer a positive response, but
as the silence is deafening, I'll toss in my two cents. For the moment
I still think https: proxies can be fought successfully with Open
Source Software (see below for specific action items)  ...but it's
getting harder and harder. My (perhaps overly cynical) opinion is
within a couple years fighting https: proxies will be too much for Joe
Programmer using Open Source Software. (See last year's rant in
posting message #19013.)

The conventional wisdom that https: anonymous proxies are relatively
rare because of the cost and difficulty of obtaining SSL certificates
doesn't wash any more with SSL certificates available for only a few
dollars and containing neither the system's real name nor address. SSL
certificates have become so trivial there's a new category (EV =
Extended Validation) of "real" certificate. With hacktivists with
government funding and backchannel access to Silicon Valley expertise
openly challenging the 30,000 people who implement the Great Firewall
of China, there are plenty of big technology guns out there.
Development and change is swift. Long term, individuals filtering just
one organization's web access haven't got a chance to be anything
other than road kill (unless some unforeseen magic happens). Each
installation will reach its tipping point at a different time, but it
seems once it does there'll be no plugging the hole and no going back.

There are now large networks of anonymous https: proxies based on home
machines. (Remember SETI@Home?) Apparently nowadays some home users
can decide "yes, I want to help political dissidents", install some
software, and voila their home computer with an always-on connection
becomes an available anonymous proxy. Best guess is (who knows how a
secret network "really" works?) the systems don't actually change
their IP addresses on demand  (although it may seem so), but rather
just use whatever IP address their ISP assigned them until they're
rebooted, and hand off to another system instantly whenever they're
discovered. (And there are so many of them!) One expert counted at
least 1500 of these at one time, and they change so frequently
blacklists can't keep up. (Besides, many of them use a Chinese or
Farsi charset and so are unreadable to most English readers.)

There are also now tools to make using https: proxies very easy.
There's even a browser toolbar that lets you switch between installed
anonymous proxy systems.

As the legitimate uses of https: have exploded, https: whitelisting
has ceased to be a reasonable option because it causes too much
interference in most cases. One school quickly came up with ~1000(!)
legitimate https: host/sites, and that was just by sniffing routine
activity _before_ actually implementing https: whitelisting and being
bombarded by user requests for additional host/sites.  (If you're a
school, consider that virtually every testing service or college
admissions department uses https: to securely deliver results online.)

The slowness that originally plagued services for circumventing
repression has largely been resolved. Last year I could count on the
slow behavior of typical https: anonymous proxy systems to discourage
students from using them. But no more; computers and networks are
faster, and anonymous proxy systems have a better sense of where an
appropriate tradeoff between anonymity and speed is.

And for the past few years several proxy network services have been
cooperating in both their technology and their business operations.

(Maybe for other than young children the whole filtering approach has
become misguided. It seems to make good sense to instead educate
everyone in the art of living in a highly connected digital society
[see http://www.educ.ksu.edu/digitalcitizenship/]. Although outright
flouting the CIPA law that drives us in the U.S. would just cause a
scandal, perhaps we should at least have a more skeptical attitude.)

It's a tit-for-tat game of continual mutual escalation. What worked
well six months ago isn't even worth implementing any more. (I once
stopped a common anonymous package dead in its tracks  ...for about
six weeks.) For example a few months back blocking port 9666 would
interfere with the operation of some of the https: proxy tools so much
they became unusable, but it doesn't make hardly any difference any
more. For another example, blocking host/sites named ...proxy.  worked
pretty well not so long ago, but these days it misses almost all
anonymous proxies.

      =====

Recent versions of SonicWALL, the commercial product related to
DansGuardian, can be configured to scan "encrypted" web content. Other
commercial products, such as those from 8e6, BlueCoat, Barracuda, and
many more can similarly filter https: web traffic. One big advantage
of a commercial product is you have a dedicated programmer on their
support staff focused on anonymous proxies; even a very clever
individual admin could never come close to matching that level of
attention nor that level of exposure to information from all over. In
many cases commercial products provide very frequent central updates
so you're really paying for a service rather than a device.

Here are some things you can do with Open Source Software (at least if
your goal is to make https: anonymous proxies sufficiently
inconvenient they aren't used heavily, rather than to stop them
altogether:-). These are by no means mutually exclusive; in fact, do
as many as you can (hopefully at least a half dozen). [This is typical
when fighting proxies. Usually there are several "partial" solutions
while a quest for THE solution comes up empty.]

(Hopefully you have an "explicit-proxy" environment [see
http://contentfilter.futuragts.com/wiki/index.php?title=Two_Configuration_Famili\
es].
If you have a "transparent-intercepting" environment, several of these
techniques either won't be possible or won't do anything. Also
consider implementing some of these blocks in something like
Shorewall/IPtables rather than in DansGuardian. Blocks in DansGuardian
have the considerable advantage of always being able to present
meaningful messages to the user, but they will be bypassed by illicit
network traffic that doesn't appear to be web related.)

1) Require all host/sites to pass a reverse DNS lookup test. By
eliminating host/sites that don't have a reverse DNS entry, you
eliminate a non-trivial fraction of the home machines acting as
anonymous web proxies.

2) Require all host/site connections to be by DNS _name_ rather than
IP _address_ (see '*ip'  --and '*ips' in recent versions of
DansGuardian-- in 'bannedsitelist'). This eliminates another
significant fraction of the home machines acting as anonymous web
proxies.

3) Block DNS requests to servers you don't recognize. If your ISP
supplies DNS servers and those servers make recursive requests, you
need only allow DNS traffic to those servers and not to anywhere else.
(Be careful though as this may greatly upset a few "power users" that
have reconfigured their computer to use some other DNS but haven't
told you about it, and it may interfere with a few [poorly written]
applications. A couple days of logging before you block anything may
be prudent.)

4) Lock down all your end user computers so users can't install new
software (or alternately can't execute any software that's not
approved). Or explicitly forbid execution of all the https: proxy
system tools you're trying to stop.

5) If possible get an accurate, complete list of the netblocks of
dynamic IP addresses that ISPs assign to their users, and block all
communication with the whole list. There should never be a legitimate
web host/site on any of these addresses (especially if users respect
their ISP's restrictions:-). (Watch out though for the very few small
semi-legitimate web host/sites that rely on "dynamic DNS".) This will
probably significantly interfere with P2P traffic too, which may or
may not be what you want.

6) If you can figure out how to do it (I'm not sure it's even
possible), configure your firewall system to only allow SSL
connections for which the handshake was completed with no errors at
all (not even "certificate name mismatch")

7) If you can figure out how to do it (I'm not sure it's even
possible), configure your firewall to only allow SSL connections that
use known standard encryption schemes. If a connection uses port 443
but uses its own non-w3c-standard encryption scheme, shut it off.

8) If you can figure out how to do it (I'm not sure it's even
possible), configure all your end user systems to not finish
establishing SSL connections if there are any errors at all in the
handshake (ex: "certificate name mismatch") and to not allow users or
programs to bypass this restriction (perhaps by clicking on some
"exception" button).

9) Use a regular expression in 'bannedregexpurllist' to disallow
host/sites whose names appear to contain an IP address and so are
almost certainly dynamically assigned by an ISP. This eliminates yet
another significant fraction of the home machines acting as anonymous
web proxies. (But be very careful to construct the regular expression
so it doesn't overblock, for example by unintended matching of long
hashed session keys.)

10) If you offer users central file storage, use something like the
Linux `find` command to comb through the store every night and
silently delete all the anonymous proxy tools. (Users typically won't
complain, because they know they shouldn't have had the file in the
first place. Reduce complaints even further by surgically deleting
only one key executable rather than a whole package; a single missing
file with no apparent rhyme or reason is often written off as an
"accident".)

11) Ban any _search_ that includes the word 'proxy' or 'proxies' (but
implement exceptions for things like "Munchausen by proxy"). Almost
all web search services convey their arguments in an HTTP GET, so the
search terms are in a URL where a clever regular expression can
examine them. Be sure to match only on a whole word though. Watch out
for extraneous punctuation which is stripped by many web search
services - when you block the search term  proxy  users will quickly
try "proxy", (proxy), *proxy*, p r o x y, etc. Watch out for alternate
spellings such as poxy, proxie, proksy, pr0xy, prox, and even oxy. And
watch out for RESTful URLs that are searches in disguise, for example
http://del.icio.us/tag/proxy .

12) Have a subscription to good blacklists that include proxy sites,
and update it frequently.

13) When you see host/site names in the logs that you think might be
proxies, check them out and possibly add them to your own local
bannedsitelist. Emulate an end user by sitting at one of their
computers, type the same thing they typed in the address bar, and see
if it looks like a proxy. (By pretending to be an end user, you avoid
the end-to-end encryption. The traffic would be gobbledygook if viewed
from your firewall in the middle, but by sitting at a user computer
you're at the very end.)

14) Consider non-technical means, such as a new policy like "any
student found with 'foobar.exe' on their thumb drive will be suspended
for the rest of the day". (But talk to your administration first and
only do this if they're enthusiastic about it and if it won't happen
frequently! If you have to cajole them into doing your dirty work, or
call on them all the time, they'll quickly wiggle out of the new policy.)

thanks! -Chuck Kollars

How to Block Ultrasurf with dansguardian?

this is complete info what is ultrasurf

http://www.wujie.net/