[squid-users] Bypassed Proxy

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 23 03:06:49 UTC 2016


On 23/12/2016 1:02 p.m., Sameh Onaissi wrote:
> I have been trying to replicate what he is doing.
> 
> I have tried 4 or 5 VPN software and none connects, including Hotspot
> Shield. My iptables seem to be doing the job in that regard (Eliezer
> helped me set them up)
> 

Do you have matching ip6tables rules to prevent IPv6 networking being
used for the prohibited things?

>> On Dec 22, 2016, at 5:14 PM, Antony Stone wrote:
>>
>> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:
>>
>>> The user has hotspot shield installed on his PC, which I believe is a
>>> similar extension to the one you mentioned.
>>
>>> He is getting by squid with some sort of VPN, I thought squid can be
>>> configured against such things?

Squid can only prevent things going through itself.

Unless the VPN software is using HTTP(S) protocol messaging as a
transport layer, AND that messaging goes through the proxy, the answer
is no. That kind of control is what firewalls are for.


>>
>> It sounds as though you need to review your firewall (routing) policies.
>>
>> Anyone who is allowed to use a VPN can effectively bypass all security policies 
>> on your network.
>>

I second that.

Keep in mind that "iptables" command only sets up rules for IPv4
connections. They could be using IPv6. 'VPN' also has a number of
sub-types: 6to4, SOCKS, IP-IP, or remote NPT relay.

Amos



More information about the squid-users mailing list