we found websense on fw-1 boxen to be a nasty to maintain chore. Often
'approved' sites would find themselves blocked by the applications own
selection criteria for no known reason. It is our understanding that
other similiar apps suffer the same troubles. It further added to our
sense that this is a chore best handeled by HR.
Thanks,
Ron DuFresne
On Tue, 21 Nov 2000, HUNGRY PIRANHA wrote:
>
> i think the proxy or the firewall can be effective listening posts for
> denial traffic as they are also a pretty good place to gather patterns and
> frequencies. most proxy have extensive logging facilities available, if not
> by the apps or by the OS...probably something a bit *n*X...as they are adept
> at logging almost anything they are asked to (most Unix apps by convention
> include this service). i ave the sidewinder, pix, gauntlet, fwtk with
> embedded Netscape/socksv5...and they all can perform the functions you wish.
>
> each of these tools specific implementation techniques and those should be
> learned from how-to pages for whatever distro you use..again i refer to
> unixen, but then again they have established practice propagated by exposure
> to source code for the OS.
>
> explore the syntax and format of the rule sets and the locations of the
> support files and adhere to the file locations that the default
> installers pick as unix has that weakness, disparate OS and Network related
> files scattered about myriad filesystems.
>
> usually the format are routerish...
> forgive the xhost notation, but it just for concept
>
> tag: permit service *.*.*.* -plug_to x.x.x.x wrapper-like-program-tag
>
> will work for most tcp.
>
> udp needs other help...udprelay and socks are usefull.
>
> i use TIS fwtk on Solaris a lot.
>
> the sidewinder is a BSD based firewall.
>
> it is adept at port redirection tactics.
>
> to manage the split kernel architecture, it dynamically moves
> all users connections to virtual memory and its own users to
> assist in handling the transition from root like power to operationally
> multiple kernels.
>
> the ability to 'root' the box doesnt exist per se as the user root
> is not allowed to login, but there are times when exploring pushd &
> popd that i've discovered that i wound in the /root dir and with a
> uid=0...hmmmm.
>
> it uses one kernel(admin)for managing configs to DNS, sendmail.cf
> (fragile)certainly dont want it resolving at that point. service
> initiation...rule set table builds, cron and syslog, ftp, telnet,
>
> you have to tweak them all. the sidewinder came with a
> buggy !!shudder!! Xserver suite....
>
> one might want to suggest possibly not using gui tools to configure
> routers, servers, switches, firewalls or proxies.
>
> they are large.
>
> large programs are more prone to bugs and leaks just
> based on the code generating lots of function calls.
>
> system calls are expensive...wait at least they used to be...
>
> forgive masm flashbacks.
>
> cheswick and bellovin state small code maintain simplicity.
>
> this should be a tao of configuration.
>
> piranha....
>
> >From: Apisit Suksakorn <[EMAIL PROTECTED]>
> >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> >Subject: Filter bad web site
> >Date: Tue, 21 Nov 2000 09:43:10 +0700
> >
> >Dear all,
> >
> > My company has a policy that porno web sites are prohibited. Does anyone
> >suggest me where should I filter the porno sites? (proxy or firewall)? I
> >use squid and FW1. and What should I do?
> >
> >regards,
> >apisit.
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> _____________________________________________________________________________________
> Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
