Date: Wed, 24 May 2000 13:07:20 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Steve Shah <sshah@clickarray.com> Cc: Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>, freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode Message-ID: <Pine.BSF.4.21.0005241302190.21535-100000@achilles.silby.com> In-Reply-To: <20000524092918.B14746@clickarray.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 May 2000, Steve Shah wrote: > The messaging stuff is easy to proxy for, and I don't mind doing that. > Napster I'd block off from the standpoint of bandwidth consumption. And > now that there is <sigh> legal precidence on schools getting sued for > crap like that, I'd rather save myself the hassle. There are better battles > to fight. > > The definate win for NATting would be against the web server folks > who are serving up commercial stuff and MP3's. Although Napster is > a ugly problem in that regard. (Today's User Friendly explains why > in ugly, ugly detail...) > > Most importantly, it's a case of protecting students from attacks. > There are (sadly) people out there who still find it amusing to BOINK > large numbers of Winders machines that aren't patched up. And I > wouldn't trust most students to keep their boxes patched up. It may just be simpler to block outgoing connections to napster/etc, and block incoming connections to port 21/80/137/138/139; then you don't have to worry about the hassles of proxification. I guess what you choose depends on your local policies / etc. I think 137/138/139 would be a no-brainer in any case, though. I've seen a few people become bandwidth hogs due to scour.net without even knowing it. (Also, blocking those ports would stop a good percentage of the windows attacks dead.) > In the end, there is always a way to get back in. (Tunnels, etc.) > but just looking at the small handful of people who know how to do > that means that I still would not have to be overly concerned with > bandwidth. Of course if I *really* wanted to be a punk, I'd put a > rate limitor on outgoing traffic. > > -Steve Rate limiting might actually be the most fair solution for the future, as it's likely napster-like programs are going to evolve to the point where explicitly blocking them is impossible. I think something like 16K/sec is more than acceptable. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005241302190.21535-100000>