Re: [SLUG] Looking for a firewall

From: Greg Schmidt (slugmail@gschmidt.net)
Date: Wed Aug 13 2003 - 01:46:16 EDT


Levi Bard wrote:
>>The original poster may not want an HTTP proxy, but that's really the best
>>way to enforce these kinds of protocol-level restrictions. If it's the
>>reconfiguration of clients that's holding you back, proxies can be
>>transparent.
>
>
> I agree, an http proxy is the way to go. For example, the proxy they use at my work only allows GET and POST (I believe, they may be others, but I'm sure it won't do CONNECT and probably not TRACE either).
>
> Levi

OK, I'm convinced. Thanks everyone. If I'm going to do this I'll need
a full-blown proxy.

Brian, thanks for suggesting snort-inline, but the caveats you mention
probably preclude it. You seemed to have the best answer to my
original, ill-conceived question.

Thor, to attempt to answer your questions, it is not IIS, but Apache,
more specifically, tomcat. mod_rewrite, what I would likely use to
disable HTTP TRACE, is not compiled in. Moreover, there seems to be not
one line of source code on the box. When I ran ./configure I discovered
there was also no C compiler. At least they left the man pages.

Before I did anything significant to this appliance I cloned the drive.
  LILO now boots into "FIX" and "SUPPORTED". Anything about changing
the config, much less recompiling apache, is completely and absolutely
unsupported by the vendor. Without any tools on the drive to fix it,
I'm leaning toward putting another box in front of it to protect it. It
started life as a RedHat distro. The meat of the product they're
selling is some reasonably significant java magic. I have lingering
doubts about my ability to stick a tomcat apache I compiled under their
java and still have it work. Nothing in the vendor's docs mentions a
Linux console much less plugging a keyboard and monitor into the box.
It's a 1-U server "appliance" you are supposed to be able to just plug
into the network, and after setting an IP address through a java app
with a serial cable, just stand up and run. It is, according to plan,
completely managed by a java GUI. Yeah, they are certainly violating
the spirit of GPL, if not the letter. Still, this made me go take a
good look at the apache license, and it doesn't seem to require
releasing source. All the apache projects seem to release souce code,
even with a binary release, but I don't think the license requires them
to do so. Still, no gcc is rude.

Thor asked how this affects the vendor, and I'm not sure how to answer
that. Apparently, they don't feel very affected. They are considering
disabling HTTP TRACE in some future version. No definitive answer from
them yet. Only two facts seem relevant. Some PHB already paid for it.
  Some other not-so-PHB says we can't put it on the network while HTTP
TRACE is enabled.

So.... I've been looking at squid. I haven't found any specific mention
of a feature that can disable an HTTP method in squid's docs, yet.

So now three questions:

Can squid do that?

I'm likely going to need more horsepower than just some old Pentium and
two NICs can give me, right?

Is there a better tool to use for this proxy than squid?

Thanks again,
Greg

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:40:11 EDT