[KLUG Members] Iptables

[Robert G. Brown]

On Mon, 22 Aug 2005 14:02:49 -0400, Tony Gettig wrote:

>
>What we do is block ALL outbound traffic by default and make exceptions
>where necessary.
Seems fascistic enough to have a chance of actually working.

>All web surfing must go through the proxy. The web
>filtering solution is also configured to deny traffic to the IM
>services.
IM clients can be configured to use port 80, etc. How are you blocking
these?

>Non-web traffic that needs to go out is explicitly allowed per
>application, ...
Right, but in this case, there isn't any "non-web" traffic.

>and when possible, per network segment. 
I think I understand this.

>Overkill? Maybe.
Nah, as I wrote above...

>YMMV, yada yada...
Sure, you've disclaimed yourself adequately :)

What you and Bruce said earlier in this thread is essentially
that even though these IM clients use http, they (probably) don't
have the ability to handle to client side of the authentication
dialog. So put 'em into an environment where they have to auth
themselves to get out, and they're stuck.

At least some IMs support that, too. You're not stoppin' 'em,
but you're raising the bar a lot...

						Regards,
						---> RGB <---