OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: blocking icq & napster
From: Gabe Turner (gabeMSI.UMN.EDU)
Date: Mon Aug 28 2000 - 16:19:52 CDT

>
> if you're using a Unix (or linux) computer as the firewall, figure out
> which port they use and use ipfw, ipchains or ipfwadm to certian computers
> from using those ports or sending data through them.

Well that's the root of the problem. ICQ, at least, uses random,
un-priviledged ports. In order to block it, you'd have to close every port
over 1024... But that would most likely break other programs like ftp. Of
course, you could set your firewall to keep the state of outgoing packets,
but then ICQ would be able to go in and out on random ports again. Napster
can be blocked, but when you block it, people start usng Gnutella or some
such and they can change the port at will. Many people (universities,
businesses, etc) are trying to block the latter, but with little luck.

I've heard people (mostly IT-manager types) complain and complain about
users using ICQ and Naptser and viewing porn and what have you, and they go
to the administrator for an answer. But, frankly, this is a user education
issue. Rather than going out of your way to keep users from breaking the
rules, you need to make sure management comes down on their heads when they
use programs that they aren't supposed to be using on your network.

My $0.02,

Gabe 

--
--------------------------------------------------------------------------------
Gabe Turner				    	      		gabemsi.umn.edu
UNIX Systems Administrator,
U of M Supercomputing Institute for
Digital Simulation and Advanced Computation

"I watch bad movies in my own home because I'm insane.  I've been driven
 mad by them, and like heroin, I keep wanting more, even though it's
 collapsing my heart."
				- Mike Nelson, MST3k
-------------------------------------------------------------------------------