[PLUG] super-restrictive IPtables
jen montserrat
jen.montserrat at gmail.com
Wed Feb 1 01:01:49 UTC 2012
80% of those Windoze systems not 0wned, how many actually are but the users
are totally unaware that they are 0wned?
You could run Tinyproxy with Dansguardian and then use the filters in
Dansguardian to restrict where the XP host can go via the web, if at all?
Then use IPTABLES to further restrict.
This is also a configuration from squid to allow windows update that should
be placed at the top of the acl.
acl windowsupdate<http://linuxpoison.blogspot.com/2008/04/howto-allow-windows-updates-through.html#>dstdomain
windowsupdate.microsoft.com
acl windowsupdate dstdomain
.update.microsoft<http://linuxpoison.blogspot.com/2008/04/howto-allow-windows-updates-through.html#>
.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain
wustat.windows<http://linuxpoison.blogspot.com/2008/04/howto-allow-windows-updates-through.html#>
.com
acl windowsupdate dstdomain crl.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
That is about the extent of my limited knowledge.
~ Jen
On Sat, Jan 28, 2012 at 10:20 AM, Keith Lofstrom <keithl at gate.kl-ic.com>wrote:
> I want to set up an internal network with very restricted traffic.
>
> Sadly, a service vendor for my wife's office has a web interface
> that only talks to Internet Exploder with a local app that must
> run under windoze. Another supplier will only deal with
> Quickbooks over the web. We have a little windoze box (ASUS
> B202) running winXP with no network connection. I don't want
> it connected to the internet. It could get 0wned by the wrong
> popup ads, and I don't want to spend a lot of time keeping it
> updated (this is not possible for zero day exploits, anyway).
>
> Possible Solution: Feed it from the Linux firewall over a
> dedicated LAN, through a firewall set to just pass ports 80 and
> 443 to a short list of IP addresses, with local DNS for a few
> addresses from a static table on the firewall. If a service
> vendor gets 0wned, the local windows box might too, but it
> cannot call home to base, spread the infection, or hammer on
> the linux LAN. I might also open the IP addresses for M$ updates.
>
> My biggest concern is that I am underestimating the number of
> IP addresses I will need to talk to and how often they change.
> Perhaps there is some tool to update the local DNS table without
> a lot of effort. Updates should happen only when I tell the
> firewall to do so, and can review the table, a few times a year.
>
> Any helpful ideas?
>
> Keith
>
> P.S. The Great Windoze Meltdown could happen any day - the fact that
> 80% of windoze machines do not seem to be 0wned does not guarantee
> that they will never be. Large scale attacks are probably already
> seeded out there, and may be launched if some general has a bad day.
> I prefer to be ready to help my neighbors, instead of another victim.
>
> P.P.S. xkcd 974, The General Problem, alt text:
> "I find that when someone's taking time to do something right
> in the present, they're a perfectionist with no ability to
> prioritize, whereas when someone took time to do something
> right in the past, they're a master artisan of great foresight."
>
>
> --
> Keith Lofstrom keithl at keithl.com Voice (503)-520-1993
> KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
> Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list