On Thu, Jul 12, 2001 at 12:11:15PM -0400, Andrew Brown wrote:
> 
> it sounds to me like there are random services you don't want to pass
> through your packet filter.  perhaps it might be easier to allow only
> those services you know you need?  that way you can be sure to block
> the random outbound connections to gnutella and gnapter like networks,
> random instant messaging services, etc.  the usual sorts of things
> that people like to block.  anything that's being legitimately used
> will probably have a specific for associated with it.

also keep in mind that a lot of "services" have learned to work on port 80 to
get through firewalls like this, so an HTTP proxy is not a bad idea either.
something that smart enough to say "Hey! that's not HTML" is really all you
need, although while your at it, a cache is never a bad idea.

-brian