Merhaba,
SafeIP adlı bir program mevcut. Bilindik tünelleme yazılımlarından bir tanesi. Yazılımın çalıştığı terminali tcpdump ile dinlediğimde aşağıdaki çıktıyı alıyorum;
[root@labris ~]# tcpdump -i any host 10.66.66.40
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
12:06:19.280993 arp who-has 10.66.66.40 tell 10.66.66.1
12:06:19.282380 arp reply 10.66.66.40 is-at 08:60:6e:d8:7c:53 (oui Unknown)
12:06:25.127142 IP 10.66.66.40.49738 > main.freesafeip.com.https: R 3302060601:3302060601(0) ack 1531059419 win 0
12:06:28.842825 IP 10.66.66.40.49739 > main.freesafeip.com.https: S 2181658282:2181658282(0) win 8192 <mss 1460,nop,wscale="" 8,nop,nop,sackok="">
12:06:29.011775 IP main.freesafeip.com.https > 10.66.66.40.49739: S 3727472303:3727472303(0) ack 2181658283 win 14600 <mss 1460,nop,nop,sackok,nop,wscale="" 7="">
12:06:29.012202 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 1 win 256
12:06:29.017604 IP 10.66.66.40.49739 > main.freesafeip.com.https: P 1:170(169) ack 1 win 256
12:06:29.185447 IP main.freesafeip.com.https > 10.66.66.40.49739: . ack 170 win 123
12:06:29.186716 IP main.freesafeip.com.https > 10.66.66.40.49739: . 1:1461(1460) ack 170 win 123
12:06:29.186728 IP main.freesafeip.com.https > 10.66.66.40.49739: . 1461:2921(1460) ack 170 win 123
12:06:29.186739 IP main.freesafeip.com.https > 10.66.66.40.49739: P 2921:3751(830) ack 170 win 123
12:06:29.187258 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 1461 win 256
12:06:29.187259 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 3751 win 256
12:06:29.188981 IP 10.66.66.40.49739 > main.freesafeip.com.https: P 170:496(326) ack 3751 win 256
12:06:29.323374 arp who-has 10.66.66.205 tell 10.66.66.40
12:06:29.323583 arp who-has 10.66.66.40 tell 10.66.66.205
12:06:29.360960 IP main.freesafeip.com.https > 10.66.66.40.49739: P 3751:3810(59) ack 496 win 131
12:06:29.361783 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 3810 win 256
12:06:29.388922 IP 10.66.66.40.49739 > main.freesafeip.com.https: P 496:661(165) ack 3810 win 256
12:06:29.596184 IP main.freesafeip.com.https > 10.66.66.40.49739: . ack 661 win 140
12:06:29.644475 IP main.freesafeip.com.https > 10.66.66.40.49739: . 3810:5270(1460) ack 661 win 140
12:06:29.644490 IP main.freesafeip.com.https > 10.66.66.40.49739: . 5270:6730(1460) ack 661 win 140
12:06:29.644784 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 5270 win 256
12:06:29.644988 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 6730 win 256
12:06:29.645637 IP main.freesafeip.com.https > 10.66.66.40.49739: . 6730:8190(1460) ack 661 win 140
12:06:29.645648 IP main.freesafeip.com.https > 10.66.66.40.49739: P 8190:8679(489) ack 661 win 140
12:06:29.646622 IP 10.66.66.40.49739 > main.freesafeip.com.https: . ack 8679 win 256
12:06:34.112157 arp who-has 10.66.66.6 tell 10.66.66.40
12:06:34.113175 arp who-has 10.66.66.40 tell 10.66.66.6
29 packets captured
34 packets received by filter
0 packets dropped by kernel
nslookup çıktısı ise aşağıdaki gibidir;
[root@labris ~]# nslookup
main.freesafeip.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: main.freesafeip.com
Address: 96.127.146.146
Elbette ki nslookup'ta belirtilen çıktı, mevcut DNS sunucusunda belirlenen preferred IP adrestir, ancak hem bu IP adresini firewall modülünden deny grubuna aldım hem de dns adını webfilter'da engellenecekler grubuna eklediğim halde sonuç alamadım. Yukarıdaki çıktının bir çok farklı varyasyonu mevcut elbette. Ancak sanırım l7 seviyesinde bir şeyler dönüyor arka planda.
Sonuç olarak SafeIP adlı yazılımı engelleyebilmek için izlemem gereken yöntem nedir?
Yardımcı olursanız sevinirim.
soruldu
06 Ara '13, 05:30
sednateknoloji
24●1●1●3
kabul oranı:
5%
