[KLUG Members] Iptables

[Tony Gettig]

On Mon, 2005-08-22 at 17:30 +0000, Robert G. Brown wrote:
> On Mon, 22 Aug 2005 12:58:36 -0400, Bruce Smith wrote:
> 
> >I've never tried blocking the instant messenger services.
> >Why don't you just try it and see if it works?
> 
> Trying to block some of these can get tricky, since they can
> be configured to use http and https for their operation. I'm
> sure some network administrators can get away with blocking
> these, but I haven't met one recently.
> 
> Some IM's may also run on more or less arbitrary ports...
> 

What we do is block ALL outbound traffic by default and make exceptions
where necessary. All web surfing must go through the proxy. The web
filtering solution is also configured to deny traffic to the IM
services. Non-web traffic that needs to go out is explicitly allowed per
application, and when possible, per network segment. Overkill? Maybe.
But the network is a hostile environment of bright young minds when you
work in K-12. :) Also, I don't manage the firewall so it's not my
administrative burden. Even if it were, I'd probably still take this
approach.

YMMV, yada yada...