As of WinGate release 2.1b, the default behavior of the program is to not
accept proxy connections on the "real" IP address of the machine by
default. Since the damage has already been done with the mass use of the
earlier versions, I threw together a simple stopgap fix for Cisco routers.
Adding the following lines to your access lists gives a simple and
effective fix for the majority of the problem:
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#access-list <n> deny tcp any <user space address> <user
space hostmask> eq 1080
router(config)#access-list <n> permit ip any any
router(config)#int <ethernet interface>
rouetr(config-if)#ip access-group <n> in
<n>=a number between 100-199
<user space address>/<user space hostmask>=The addresses of your dialup
users. Please noted that access list hostmasks are backwards from normal
convention, so a 255.255.255.0 subnetmask would be 0.0.0.255.
<ethernet interface>=the interface of the network segment your dialup users
are on. The last two commands can be repeated
for multiple interfaces.
What this does:
This blocks the standard SOCKS Proxy port for all machines inside the
specified network mask. Since there are VERY few instances where an ISP
would find it desirable for a user to run a proxy on their dialup
connection, this shouldn't disrupt any of your services.
Also, please note that there is an article posted to
http://www.wingate.net/secure-wingate.htm on how to secure open WinGate's.
Hope this helps,
Mike Zimmerman
mike@web2000.net