Rules for Privoxy

[Redback]

I'm running a program call Privoxy Proxy , it is a HTML Proxy that filters for all ad's in java or html with blocking enable for my predefine setup for all browser reguardless of the Software vendor

the Question is ! That all browser's are all using port 8118 for in and out retrieval of data .

What is the best setup , I should allow for this program ?

[Privoxy]
DefaultState: 1
RuleName: Privoxy HTTP connection
Protocol: TCP
RemotePort: 8118
Direction: Outbound
ActivateSI
AllowIt

DefaultState: 1
RuleName: Privoxy HTTP connection
Protocol: TCP
RemotePort: 8118
Direction: Inbound
ActivateSI
AllowIt

DefaultState: 1
RuleName: Privoxy HTTP connection
Protocol: UDP
RemotePort: 8118
Direction: Outbound
AllowIt

DefaultState: 1
RuleName: Privoxy HTTPS connection
Protocol: TCP
RemotePort: 443
Direction: Outbound
AllowIt

DefaultState: 1
RuleName: Send mail by Privoxy
Protocol: TCP
RemotePort: 25
Direction: Outbound
AllowIt

DefaultState: 1
RuleName: Receive mail by Privoxy
Protocol: TCP
RemotePort: 110
Direction: Inbound
AllowIt

DefaultState: 1
RuleName: Outbound mail by Privoxy
Protocol: TCP
RemotePort: 110
Direction: Outbound
AllowIt


DefaultState: 1
RuleName: Read news by Privoxy
Protocol: TCP
RemotePort: 119
Direction: Outbound
AllowIt

[Paranoid2000]

Welcome to the forums Redback,

If you are using Privoxy only for web access then the following rule is the only one it needs:

Privoxy Web Access: Protocol TCP, Outgoing, Remote Port HTTP,HTTPS, Allow

Your browser will be given access to Privoxy with Outpost's default global rule "Allow Loopback". Unfortunately, so will everything else - so I recommend for security reasons that you disable this global rule and create an extra application rule for your browser:

Browser Privoxy Access: Protocol TCP, Outgoing, Remote Address 127.0.0.1, Remote Port 8118, Allow

Your existing ruleset includes email/usenet access which shouldn't be necessary if Privoxy is used as a web proxy only - but if you want to use it for these cases also then add the email/news rules to Privoxy and add a "Privoxy Access" rule to your email/newsreader software. Stateful Inspection is of no use here - it only applies to situations where an application creates multiple network connections (see the Stateful Inspection FAQ thread for details).

For more guidelines on producing a secure configuration, please see the Guide to Producing a Secure Configuration for Outpost FAQ thread.

[Redback]

As for the Proxy , this is run from the Server 2003 so that all Interneting going through the proxy , there a 5 computers that access the Interent through the Server.
As for email , People use the Hotmail Account in the Outlook Express so too , this get filtered also ! For News this will be remove from the setting thanks.

the Setting that are Disable are !
DNS Cache
Ad
Content

the other Question is that Privoxy doesn't have an IP address but does scan and filter Port 8118 (this been set as default too stop scanning all networks ) , so is it necessry for an IP address when the Program doesn't need one ? But only scans Port 8118 ?

[Paranoid2000]

Well thanks for mentioning the network - this changes the situation considerably from running Privoxy on a standalone PC.

If people are using Hotmail via Outlook and you wish to route this via Privoxy then email rules will be needed as you point out - similarly for newsgroup access (although there should be little to filter there with newsgroups being either text or binary).

The IP address for any application will be the address of the PC it is running on (your Win2003 server in this case).

To allow other PCs on your network to access Privoxy add the following rule to its application ruleset:

Allow Network PC Access: Protocol TCP, Incoming, Remote Address <add the IP addressses of your PCs here>, Local Port 8118, Allow

If the client PCs are running Outpost then add the following rule to any applications needing Privoxy access:

Remote Privoxy Access: Protocol TCP, Outgoing, Remote Address <your Win2003 server address>, Remote Port 8118, Allow

[Redback]

Sorry for the roundabout way

the firewall is only on the server !! not need on the client PC !!

[Paranoid2000]

I would strongly recommend that you do install a firewall on your clients. While Outpost on the server can provide protection from incoming attacks, it can do nothing to prevent spyware or trojans on your clients from sending data out (it will appear as "normal" network traffic). Only a firewall on each client can restrict access by application, providing you with that protection.

If you do not wish to get further Outpost licences to cover this, then consider using Outpost Free or another free firewall (Kerio Personal Firewall was recently rated the best free firewall software by PCPro Magazine).

[Redback]

Okay ! I take that in consideration , thank you for your help .