From owner-freebsd-net Wed May 24 11: 7:25 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 4619437B743 for ; Wed, 24 May 2000 11:07:21 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 21658 invoked by uid 1000); 24 May 2000 18:07:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 18:07:20 -0000 Date: Wed, 24 May 2000 13:07:20 -0500 (CDT) From: Mike Silbersack To: Steve Shah Cc: Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <20000524092918.B14746@clickarray.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Steve Shah wrote: > The messaging stuff is easy to proxy for, and I don't mind doing that. > Napster I'd block off from the standpoint of bandwidth consumption. And > now that there is legal precidence on schools getting sued for > crap like that, I'd rather save myself the hassle. There are better battles > to fight. > > The definate win for NATting would be against the web server folks > who are serving up commercial stuff and MP3's. Although Napster is > a ugly problem in that regard. (Today's User Friendly explains why > in ugly, ugly detail...) > > Most importantly, it's a case of protecting students from attacks. > There are (sadly) people out there who still find it amusing to BOINK > large numbers of Winders machines that aren't patched up. And I > wouldn't trust most students to keep their boxes patched up. It may just be simpler to block outgoing connections to napster/etc, and block incoming connections to port 21/80/137/138/139; then you don't have to worry about the hassles of proxification. I guess what you choose depends on your local policies / etc. I think 137/138/139 would be a no-brainer in any case, though. I've seen a few people become bandwidth hogs due to scour.net without even knowing it. (Also, blocking those ports would stop a good percentage of the windows attacks dead.) > In the end, there is always a way to get back in. (Tunnels, etc.) > but just looking at the small handful of people who know how to do > that means that I still would not have to be overly concerned with > bandwidth. Of course if I *really* wanted to be a punk, I'd put a > rate limitor on outgoing traffic. > > -Steve Rate limiting might actually be the most fair solution for the future, as it's likely napster-like programs are going to evolve to the point where explicitly blocking them is impossible. I think something like 16K/sec is more than acceptable. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message