Subject: Re: Looking for Port Numbers for IPF
To: Andrew Brown <email@example.com>
From: Brian Hechinger <firstname.lastname@example.org>
Date: 07/12/2001 12:13:08
On Thu, Jul 12, 2001 at 12:11:15PM -0400, Andrew Brown wrote:
> it sounds to me like there are random services you don't want to pass
> through your packet filter. perhaps it might be easier to allow only
> those services you know you need? that way you can be sure to block
> the random outbound connections to gnutella and gnapter like networks,
> random instant messaging services, etc. the usual sorts of things
> that people like to block. anything that's being legitimately used
> will probably have a specific for associated with it.
also keep in mind that a lot of "services" have learned to work on port 80 to
get through firewalls like this, so an HTTP proxy is not a bad idea either.
something that smart enough to say "Hey! that's not HTML" is really all you
need, although while your at it, a cache is never a bad idea.