[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking kazaa

On Tue, Nov 19, 2002 at 11:32:45PM +0100, Arne P. Boettger wrote:

> I suggest you read "Building Internet Firewalls" - it comes with
> some quite good answers to your questions. 
> Port 80: http, easy thing. Allow web access only through an
> application level proxy server like squid.
> Port 53: dns, same game. Why do local machines need to query
> external name servers? Provide an internal name server that forwards
> all requests
> Port 22: ssh, not that easy, but doable. Provide a bastion host
> where anyone with the need to ssh to external machines gets an
> account. Allow connections to the ssh port only to one special
> group (no problem with netfilter) and make the ssh binary
> set-group-id to that group.

I'm aware of most of these options... I've considered getting the
referenced title a few times now.  The question was more of an exercise.
An each of the solutions involves the addition of a little more
inconvenience to the end users.  Which brings us back to the balancing
of convenience and control.

Jamin W. Collins

Reply to: