On Tue, Nov 19, 2002 at 11:32:45PM +0100, Arne P. Boettger wrote: > I suggest you read "Building Internet Firewalls" - it comes with > some quite good answers to your questions. > > Port 80: http, easy thing. Allow web access only through an > application level proxy server like squid. > Port 53: dns, same game. Why do local machines need to query > external name servers? Provide an internal name server that forwards > all requests > Port 22: ssh, not that easy, but doable. Provide a bastion host > where anyone with the need to ssh to external machines gets an > account. Allow connections to the ssh port only to one special > group (no problem with netfilter) and make the ssh binary > set-group-id to that group.
I'm aware of most of these options... I've considered getting the referenced title a few times now. The question was more of an exercise. An each of the solutions involves the addition of a little more inconvenience to the end users. Which brings us back to the balancing of convenience and control. -- Jamin W. Collins
