|
||||||||||
Thanks again for the words of wisdom. Honestly, while p2p is an issue, fortunately our network is small enough that our users know I would beat them with a wet-knoodle if I found out they were using p2p. That said, I will still proceed with locking it down further. - Don On Thu, 31 Mar 2005 15:14:10 -0500, William Arlofski <waa dash m0n0wall at revpol dot com> wrote: > Claude Morin wrote: > > Be aware that many modern apps (e.g. P2P, IM, etc.) try fairly hard to find > > some way out; many (most?) of them are able to tunnel across HTTP/HTTPS. > > > > In short, while the rules William lists are good, solid rules, they won't > > stop P2P or IM. > > > > -klode > > You are absolutely correct. This is the reason I often recommend a proxy > server. The combination of squid (http://squid-cache.org) and Dan's > Guardian (http://www.dansguardian.org) and a strict set of rules to only > allow port 80/443 traffic from the proxy server allows for > filtering,blocking etc via Dan's Guardian. :) > > It seems these days all these apps are set to fall back to just about > any port (TCP or UDP) when their primary port is blocked. Even seen some > use port 53/UDP. > > BTW (for the original poster) Blocking everything also stops > viruses/wrms/trojans from opening back-doors to IRC channels etc... > > I say block it all, and be careful what you allow out. Sad to say, but > you need to treat your internal (trusted??) machines as the enemy as > much or more so than the external Internet at large. :) > > - > Bill Arlofski > waa dash m0n0wall at revpol dot com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |