On Thu, Feb 11, 2010 at 04:20:49PM -0500, Flamsmark wrote: > On 11 February 2010 16:17, Michael Holstein > <michael.holst...@csuohio.edu>wrote: > > Let's not debate the stupidity of authenticating a network by IP address > > .. but the above problem is ultimately what forced us to do the same > > thing (although we just prohibit the operation of an exit). I should > > note that the original effort to run an exit was conducted by myself, > > and I do network security here .. but it was the complaints from the > > library folks that got us into hot water .. there simply wasn't an easy > > way to block access to all of them without an overly-complex exit > > policy, and all of our IP space is within a single /16. > > Why couldn't your exit policy just block the IPs of the journal sites?
Or more generally, just block *:80? It's not the best answer I could hope for, but it's sure better than not being an exit relay at all. A more general approach would be to get a DMZ address, meaning somewhere in your university address space that hasn't been whitelisted by the libraries. That concept might not exist at your university though -- yet :). --Roger *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/