Re: blocking kazaa

To: debian-firewall@lists.debian.org
Subject: Re: blocking kazaa
From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
Date: Tue, 19 Nov 2002 16:39:22 -0600
Message-id: <20021119223922.GJ26663@asgardsrealm.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <20021119223245.GF13515@rix.fh-wedel.de>
References: <F77R8Yv8r4RoVEhH8Ea0001a4c8@hotmail.com> <20021119190534.GC26663@asgardsrealm.net> <20021119223245.GF13515@rix.fh-wedel.de>

On Tue, Nov 19, 2002 at 11:32:45PM +0100, Arne P. Boettger wrote:

> I suggest you read "Building Internet Firewalls" - it comes with
> some quite good answers to your questions. 
> 
> Port 80: http, easy thing. Allow web access only through an
> application level proxy server like squid.
> Port 53: dns, same game. Why do local machines need to query
> external name servers? Provide an internal name server that forwards
> all requests
> Port 22: ssh, not that easy, but doable. Provide a bastion host
> where anyone with the need to ssh to external machines gets an
> account. Allow connections to the ssh port only to one special
> group (no problem with netfilter) and make the ssh binary
> set-group-id to that group.

I'm aware of most of these options... I've considered getting the
referenced title a few times now.  The question was more of an exercise.
An each of the solutions involves the addition of a little more
inconvenience to the end users.  Which brings us back to the balancing
of convenience and control.

-- 
Jamin W. Collins

Reply to:

Follow-Ups:
- Re: blocking kazaa
  - From: "Arne P. Boettger" <apb@wohnheim.fh-wedel.de>

References:
- Re: blocking kazaa
  - From: "ezra daniel" <ezra_daniel@hotmail.com>
- Re: blocking kazaa
  - From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
- Re: blocking kazaa
  - From: "Arne P. Boettger" <apb@wohnheim.fh-wedel.de>

Prev by Date: Re: blocking kazaa
Next by Date: Re: blocking kazaa
Previous by thread: Re: blocking kazaa
Next by thread: Re: blocking kazaa
Index(es):
- Date
- Thread