From: Julien VEHENT <julien@linuxwall.info>
To: Piyush Joshi <pj.netfilter@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: How to block proxing https connection ??
Date: Mon, 02 Mar 2009 18:16:34 +0100 [thread overview]
Message-ID: <49AC1472.3050906@linuxwall.info> (raw)
In-Reply-To: <52da25120903012110p23d6d3b4l4a568eaf8af6c495@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1112 bytes --]
Hi Piyush,
Piyush Joshi wrote:
> Dear All Expert,
> I am new to this list and have a question
> regarding netfilter. We are successfully running netfilter and now we
> are seeing that some users using malicious tools to go to the internet
> by creating https connection to outside proxy and open banned sites,
> Is there any patch for iptables to prevent this ??
>
Well, considering you cannot inspect the content of an HTTPS connection,
the *best* way to do that is to allow HTTPS connection only to websites
you know and want to authorize.
Your users must use a proxy you control to go on the Internet. Then, you
can just filter HTTPS website using a white list of authorized ones.
Note that, from the Netfilter point of view, HTTP and HTTPS connections
are only seen as TCP connection, no difference is made between them.
Regards,
Julien
>
> Thanks Regards
>
> Piyush Joshi
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
[-- Attachment #1.2: julien.vcf --]
[-- Type: text/x-vcard, Size: 388 bytes --]
begin:vcard
fn:Julien Vehent
n:Vehent;Julien
email;internet:julien@linuxwall.info
tel;cell:+33 6 23 86 58 73
note;quoted-printable:Linuxwall Root Certificate :=0D=0A=
http://www.linuxwall.info/files/ca-linuxwall.crt=0D=0A=
=0D=0A=
Personal Certificate :=0D=0A=
http://www.linuxwall.info/files/JulienVehent.pem
x-mozilla-html:FALSE
url:http://www.linuxwall.info
version:2.1
end:vcard
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3485 bytes --]
prev parent reply other threads:[~2009-03-02 17:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-02 5:10 How to block proxing https connection ?? Piyush Joshi
2009-03-02 17:16 ` Julien VEHENT [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49AC1472.3050906@linuxwall.info \
--to=julien@linuxwall.info \
--cc=netfilter@vger.kernel.org \
--cc=pj.netfilter@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox