About restricting WWW use with ipchains (or any other packet filter, for
that matter):
> Its terribly inefficient, but yes, you can. You can just add rules to
> your forward chain denying to specifiv destinations. However, you are
> going to spend a lot of time checking IP addy's and maintaining your
> list of blocked sites.
>
I agree that it is futile to try to block the access to certain sites to
users on the inside. If you're trying to firewall WWW access, though, a
packet filter isn't really up to it in many cases. There are quite a few Web
servers on non-standard ports, so you end up opening a whole range of ports.
And, as Henry points out, you can't easily keep track of IP address changes.
Since all browsers I know of support proxies, I'd definitely use one to try
to secure Web access in favour of a packet filter. And while it sounds like
it's trivial to tunnel information via HTTP, it will close the port 80 hole
that I'm tempted to call infamous for its appearances in all sorts of FAQs
on 'how do I get XYZ to work across a firewall' (replace XYZ with the
current gimmick everybody's raving about)..
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
