Re: blocking kazaa
On Tue, Nov 19, 2002 at 11:32:45PM +0100, Arne P. Boettger wrote:
> I suggest you read "Building Internet Firewalls" - it comes with
> some quite good answers to your questions.
>
> Port 80: http, easy thing. Allow web access only through an
> application level proxy server like squid.
> Port 53: dns, same game. Why do local machines need to query
> external name servers? Provide an internal name server that forwards
> all requests
> Port 22: ssh, not that easy, but doable. Provide a bastion host
> where anyone with the need to ssh to external machines gets an
> account. Allow connections to the ssh port only to one special
> group (no problem with netfilter) and make the ssh binary
> set-group-id to that group.
I'm aware of most of these options... I've considered getting the
referenced title a few times now. The question was more of an exercise.
An each of the solutions involves the addition of a little more
inconvenience to the end users. Which brings us back to the balancing
of convenience and control.
--
Jamin W. Collins
Reply to: