On Wed, Mar 11, 2009 at 10:01 PM, jmc <j...@cosmicnetworks.net> wrote:
> i say this might be slightly OT because i am asking more of a
> philosophical question, not a technical one. the excellent documentation
> has given me all i need to know about the probability directive. thanks,
> devs, for that.
>
(just as a "hint" to the rest who are considering whether to read
through) doesnt sound philosophical to me!
> quick story: i have a couple dozen websites spread across two
> OpenBSD/base apache machines. one of my clients runs a web-based forum
> that's experienced a bit of trouble recently with previously banned
> users registering multiple accounts through open proxies and causing
> problems (just open proxies, not tor exit nodes). the mods have quelled
> the activity for now, but i'm thinking of ways to help them in the
> future. i use sensible max-src-conn and max-src-conn-rate to be sure to
> DoS attacks won't cause httpd to knock down my server, but this is a
> solution to a different problem in my eyes---this is just trying to be a
> good sysadmin.
>
> i have grepped through the logs of other clients, and i don't see any
> evidence of any traffic from the lists of open proxies i've compiled, so
> i don't think this would have un-intended effects on them.
>
dont see any evidence of *legit* traffic from the list of open proxies
you've compiled, u mean.
> the only reason i guess that i'm cautious about just getting a list of
> known open proxies, creating a pf table and running with something like:
>
> block in log quick on $ext_if from <openproxies> to any probability 90%
>
> is because it seems a little bofh-ly to me. and i guess it borders on
> security-through obscurity, which of course it not really security at
> all.
obscurity may not be true security, - but combined with security, it helps!
> but it seems a bit more sinister than just outright blocking, which
> kinda makes me snicker a bit. make the experience painful enough that
> they just go away.
>
which is good, dont u think? ;)
> and i suppose i've just been dying to find a use for the probability
> directive.
>
> so anyway, how are _you_ using probability? does this seem inline with
> what it was designed for? how, if at all, do you deal with open proxies?
> you can respond off-list if this is really too OT for m...@. and i'm not
> afraid to be told this is the stupidest. idea. ever. if that's what you
> think. i'm also open to other ideas.
>
no, it's not (the stupidest idea ever). I think it's good, in fact.
Frustrates, confuses, and throws a wrench in the works of the low life
and low intelligence scum.
-jf
--
In the meantime, here is your PSA:
"It's so hard to write a graphics driver that open-sourcing it would not help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228
