On Fri, Jul 13, 2001 at 02:53:35PM +0000, Jim Breton wrote:
> 
> Not only that, but many of them will even be able to tunnel straight
> through an HTTP proxy.

yeah, but a proxy will at least be able to catch the ones that aren't able to
tunnel through HTTP and just use port 80 on the remote end for their service.
plus, you should be able to do ACLs on the proxy and weed out known servers at
the very least.

> Blocking these services is more difficult than it at first seems.

MUCH more difficult that it seems.  some are near impossible to block without
cutting off _all_ access to the internet (although sometimes these people tempt
me to even do that, grrrr)

> I suggest searching the archives for the 'firewalls' mailing list, as
> this topic has been discussed there repeatedly:
> http://pluto.gnac.com/firewalls/

try the IPFILTER mailist list as well, those guys are usually on the ball as
well.

good lucky in your daunting task!!

-brian