Hacker News new | ask | show | jobs
by haraldooo 1024 days ago
Sure they can.. but they can’t get around your outgoing firewall rule that reroutes alle traffic for certain ports to the proxy.
2 comments
pdimitar 1024 days ago
Hm, I have to see if Mikrotik has rule syntax for this. I can already force every app who thinks they will use their own DNS server to use mine but not sure how I could do the same with a proxy. Maybe just force ports 80 and 443? But what's stopping these apps to communicate on non-standard ports?
link
emidln 1024 days ago
There's no reason to allow arbitrary traffic in either direction other than convenience. If you want a more secure network, you block everything by default and narrowly open as needed.
link
pdimitar 1024 days ago
That means I'll stop 99% of all outgoing traffic. Still interested in how to force all traffic to a proxy though.
link
denysvitali 1024 days ago
https://docs.mitmproxy.org/stable/howto-transparent/
link
pdimitar 1024 days ago
Thanks, I'll give this a thorough read.
link
LoganDark 1024 days ago
If it's only for certain ports, they can just use non-standard ports.
link
magicalhippo 1024 days ago
Not uncommon to have a drop all rule as default on outgoing packets as well.

Regular http gets redirected to proxy, non-standard traffic needs to be explicitly allowed out.

link