I don't think there is a good solution right now. I also block the Microsoft service ports which are a common source of holes for the Microsoft vermin to infect a new victim. There was a new CERT warning out just yesterday about a new hole in Workstation Services so it's just going to get worse while Microsoft Windows is still around.
There was some FreeBSD person who was working extending OS finger printing to the packet filter level. Since you have real machines and not just a simple router between the AP and the internet maybe you could use this to restrict Windows users with ports open to just port 80 while letting responsible netizens through? -- Daniel << When truth is outlawed; only outlaws will tell the truth. >> - RLiegh On Wed, 12 Nov 2003, John Klos wrote: ]Hi, ] ]I was wondering what other node owners are doing about the recent ]onslaught of Windows viruses and worms. I've been seeing more and more ]machines trying to open literally 10,000 connections on the Internet per ]minute (and filling up the NAT state table), and it seems due to the ]Welchia virus. ] ]Between this and the viruses / worms which flood our email boxes with ]"Current Network Security Update" emails, it seems we are suck constantly ]administering to the lowest common denominator. I do not own any Microsoft ]products, but I am constantly bombarded with Microsoft problems. ] ]So what are other people doing to reduce this deluge of garbage? I did not ]want to block outgoing access to port 25 from my free networks, but I was ]forced to do so; I do not like limiting the kinds of traffic that people ]can use from the free networks, but if I don't, then a few people with ]viruses can clog the whole connection for everyone else. ] ]What are other people doing? ] ]John Klos ]Sixgirls Computing Labs ]-- ]NYCwireless - http://www.nycwireless.net/ ]Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ ]Archives: http://lists.nycwireless.net/pipermail/nycwireless/ ] -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
