For the last few weeks, I’ve been implementing a Squid proxy server (with SquidGuard content filtering) to help control outbound web access from my home network. Basically, I wanted to make sure that the kids weren’t accessing content that was inappropriate. So, after making sure that the proxy server was working as expected, last night I locked down the Cisco PIX firewall (OK, I’m a geek—what can I say?) to only allow outbound HTTP/HTTPS traffic from the proxy server itself. (I suspect that one of my daughters had discovered that she could bypass the proxy, hence the need to lock down the firewall. She’s got a surprise coming.)
Upon arriving home from work today, I booted up my laptop and launched my suite of applications and sites (Camino, NetNewsWire, Adium, Cocalicious, webmail for the office, a few other key web sites, etc.). I was greeted with a prompt to enter the password for two MSN accounts that I use for instant messaging with Adium. I entered the password. It prompted me again. Puzzled, I typed the password again, more slowly to make sure that I had every character right. Still wouldn’t connect. What was going on?
Now suspicious that someone had defrauded my accounts, I logged in to the accounts via an HTTPS connection in a Web browser. No, the password was right; the accounts were OK. So why wouldn’t Adium connect?
Next, I reviewed the account settings in Adium while also performing a Google search. The settings looked right (most notably, the “Connect via HTTP†option was unchecked), and the Google search turned up an Adium Trac ticket about MSN connectivity with a proxy server. At that point, the light bulb came on—I must need to configure Adium to use the systemwide proxy settings in Mac OS X. A quick couple of clicks later I was done, but Adium still wouldn’t connect. Huh?
<aside>I still haven’t determined if configuring Adium to use the systemwide proxy settings failed due to a content violation, an error with the proxy configuration, or a bug in Adium. Nothing was logged in the blocked sites log on the proxy, though, so I’m leaning toward one of the latter two.</aside>
OK, then, let’s go old-school on this thing. I logged into my PIX firewall, issued a “show access-list†command to get the current traffic matching statistics, and tried to connect again. Another “show access-list†command, and it became painfully clear that the outbound rule blocking HTTPS access from everyone except the proxy was causing the problem.
<rant>If an application says that it uses a certain set of protocols or ports, DON’T use an entirely different set of protocols and ports. It drives people like me crazy! (Not to mention it flies in the face of trying to establish reasonable security policies.)</rant>
Back in the PIX firewall again, I entered a “debug packet†command to echo HTTPS packets exiting the network, and tried connecting to my MSN account from Adium again. Yep, there it is—a couple of different IP addresses (65.54.179.228 and 65.54.183.203) showed up in the debug output every time I tried to connect. After modifying the access-list to allow HTTPS traffic to those specific addresses, Adium connected without any further problems.
Now what would an “ordinary†person have done in this situation? Would an “ordinary†(and by that I mean non-network engineer or non-geek individuals) person have known to check their firewall? Or to issue a command to have the firewall tell you about blocked packets so that they could determine exactly what was being blocked and why?
Granted, ordinary people probably won’t have PIX firewalls at their house, and probably wouldn’t be locking down outbound traffic via access lists. Still, doesn’t this tell us something? Shouldn’t applications adhere to the protocols and ports they say they are using? Shouldn’t applications be intelligent enough to provide an error message that describes the underlying problem? After all this progress in computer hardware, applications, and networking, and we are still unable to accurately diagnose problems without going to multiple sources? Or am I just expecting too much?
Tags: Cisco, Macintosh, Networking, Security
-
An ordinary person would be using either a Linksys or D-link (or connecting directly to their DSL/cable modem), and if things weren’t working would have called their ISP (or the neighbour’s kid).
You added extra complexity to the network because you are technically inclined, and were able t debug it because you are so inclined.
-
I think you’re right about calling the neighbor’s kid, that’s for sure! I’ll agree that my network is more complicated than most, but what happens when ordinary people have problems with their simple networks? It’s no wonder that people get so frustrated with PCs and the Internet.
-
Perhaps you should be proud that your daughter might be able to figure this all out.
And if she can, then the very LEAST of your worries is that she’s viewing inappropriate content. When my own geek son started using the internet a hundred years ago, my friends were worried he’d look at “inapproriate pictures of women.” First, I told my son there are no real women who will do that for you. And second, I tell my friends, I’m much more concerned he’s learning to make bombs! Fifteen years later.. all is well in my house! No hooker wives, no hooker’s children and no bombs!
You ask:
After all this progress in computer hardware, applications, and networking, and we are still unable to accurately diagnose problems without going to multiple sources?
I suggest it’s the same problem with our kids… We want to believe them… I think we SHOULD believe them! But you can’t ignore the value of input from other sources in the raising of them: report cards, other kid’s parents, other kids, other sibs. And the list goes on.
Best of luck to ya — with the network and with the kids and wait til your wife starts complaining about the changes you’ve made before you head out the door! — You think the kids are bad!
-
Kerch,
Actually, I’m not really upset with my daughter, and I am a bit proud of her that she figured out how to bypass the proxy. For her, honestly, it’s less about accessing inappropriate content and more about limiting the hours during which she can access the Internet. (That’s the problem with laptops and wireless access.) Besides which, as you’ve so rightly pointed out, there are other factors to consider, and all of those factors tell me that–aside from spending too much time online–I don’t really have too much to worry about from my Honor Roll daughter.
No worries about my wife, either–she’s fully supportive of the changes! I’m a lucky man, I guess.
Thanks for the response!
-
I wholeheartedly agree. It’s maddeningly annoying trying to debug stuff like this.
And for the record - if someone was semi technically literate, and say flashed their linksys router with an aftermarket BIOS they probably would have been hosed - unless they were exceptionally persistent.
-
Hi
THought I would recommend a wonderful little linux distro that does everything your needing on one machine - Astaro (.com, http://ftp.astaro.com) you can use it at home for up to 10 PC’s for free.
I could take a deep breath and tell you everything it does, but as a fellow engineer, I’ll just say that you’d be doing yourself a dis-service if you didn’t try it out for a solution to your home problems (believe me, I have 4 boys!). The ISO I believe is about 400mb and there’s a 700mb virtual appliance that you can use clustered as well (enterprise applications).
Cheers and thanks for all the good posts.
Paul
-
If you are building a firewall box you should at least check out Ideco Gateway - http://www.idecogateway.com
Site Sponsors
7 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2007/06/08/how-do-non-geeks-fix-problems/trackback/