On Wed, Mar 11, 2009 at 10:01 PM, jmc <j...@cosmicnetworks.net> wrote: > i say this might be slightly OT because i am asking more of a > philosophical question, not a technical one. the excellent documentation > has given me all i need to know about the probability directive. thanks, > devs, for that. >
(just as a "hint" to the rest who are considering whether to read through) doesnt sound philosophical to me! > quick story: i have a couple dozen websites spread across two > OpenBSD/base apache machines. one of my clients runs a web-based forum > that's experienced a bit of trouble recently with previously banned > users registering multiple accounts through open proxies and causing > problems (just open proxies, not tor exit nodes). the mods have quelled > the activity for now, but i'm thinking of ways to help them in the > future. i use sensible max-src-conn and max-src-conn-rate to be sure to > DoS attacks won't cause httpd to knock down my server, but this is a > solution to a different problem in my eyes---this is just trying to be a > good sysadmin. > > i have grepped through the logs of other clients, and i don't see any > evidence of any traffic from the lists of open proxies i've compiled, so > i don't think this would have un-intended effects on them. > dont see any evidence of *legit* traffic from the list of open proxies you've compiled, u mean. > the only reason i guess that i'm cautious about just getting a list of > known open proxies, creating a pf table and running with something like: > > block in log quick on $ext_if from <openproxies> to any probability 90% > > is because it seems a little bofh-ly to me. and i guess it borders on > security-through obscurity, which of course it not really security at > all. obscurity may not be true security, - but combined with security, it helps! > but it seems a bit more sinister than just outright blocking, which > kinda makes me snicker a bit. make the experience painful enough that > they just go away. > which is good, dont u think? ;) > and i suppose i've just been dying to find a use for the probability > directive. > > so anyway, how are _you_ using probability? does this seem inline with > what it was designed for? how, if at all, do you deal with open proxies? > you can respond off-list if this is really too OT for m...@. and i'm not > afraid to be told this is the stupidest. idea. ever. if that's what you > think. i'm also open to other ideas. > no, it's not (the stupidest idea ever). I think it's good, in fact. Frustrates, confuses, and throws a wrench in the works of the low life and low intelligence scum. -jf -- In the meantime, here is your PSA: "It's so hard to write a graphics driver that open-sourcing it would not help." -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228