[ previous ] [ next ] [ threads ]
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Blocking outbound traffic - concessus
 Date:  Thu, 31 Mar 2005 22:14:56 +0100
> What types of traffic are you blocking from a business 
> perspective ? I am just curious about what traffic I might 
> want to block in the LAN outbound direction..ie P2P, IM, 445 ports.

As a general rule, nothing is blocked from the inside unless the client
specifically requests it, and even then it has to pass my "is it ethical to
block this?" rule. The one exception I can think of to that rule is outbound
connections to port 25 (SMTP) to unknown mailservers, since these are nearly
always made by compromised machines.

> You are absolutely correct. This is the reason I often 
> recommend a proxy server.  The combination of squid 
> (http://squid-cache.org) and Dan's Guardian 
> (http://www.dansguardian.org) and a strict set of rules to 
> only allow port 80/443 traffic from the proxy server allows 
> for filtering,blocking etc via Dan's Guardian. :)

I would strongly discourage going down that route. You'll only generate
resentment amongst the workforce who feel they aren't being trusted as they
should be by their employer.

I have in the past refused to work for employers who feel it's their right
to either monitor my web browsing, or restrict my access to important (to
me!) services such as instant messaging.

When I explain my position on censorship, most of my clients are very
understanding, and once we've had a discussion about it, they've understood
why I won't do it. I've only ever had to bluntly refuse a client once - that
was when they wanted unrestricted access to an employee's email account.

Treat your employees like people, not like potential criminals. If you need
to discourage P2P, fair enough, log the common ports, and if someone's using
it, it's damned easy to spot. A quiet word in that person's ear is a lot
nicer than draconian blocking / filtering some companies implement. Any
other bandwidth control can be accomplished using QoS.

Sorry for the rant, but it is a topic on which I feel quite strongly.


C.M. Bagnall, Director, Minotaur I.T. Limited
Tel: (07010) 710715   Mobile: (07811) 332969   Skype: minotaur-uk
ICQ: 13350579   AIM: MinotaurUK   MSN: msn at minotaur dot cc   Y!: Minotaur_Chris
This email is made from 100% recycled electrons