+++ Sundari KuSumam [linux-india] <19/12/01 12:15 +0200>: > Thanks for the help. making it passive solved the problem > What is the difference between passive and active mode?
As shanu explained the difference already, I'll just add that RFC 959 documents it, and the best explanation of this that I've seen is at <http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci512897,00.html> > Also a related query > I want to limit access to certain services such as yahoo > messenger to one or two machine What is he best way? Speaking as a (former) corporate mail/sys admin ... Short term solution - use iptables filters as Shanu suggested. Find out what ports yahoo uses and firewall those for unauthorized IPs. However, as Shanu said, messenger uses HTTP-S as well, so just configuring clients won't help. Any user with half a brain can figure it out, and firewalling https is not an option. Users with half a brain - There are several with just enough clue to be a nuisance on your network, screwing up their settings by installing software, working around whatever blocks you set etc ... especially in a corporate environment. They might be brilliant in whatever field of work they are in, but will definitely verge from utterly clueless to (that most dangerous state) half clueful around computers. You can, in fact, safely proceed with the assumption that your average user is like a small child with firecrackers, and needs someone to keep an eye on him to prevent him from hurting himself on the 'net (damage to his computer / your network, basically). If you have something like NT Workstation or Win2K on those client boxes, you can set enough policies to ensure that the user can't install software onto the machine, only the administrator can. Either that, or use thin clients :) Otherwise, you are much better off solving a social problem (employees goofing off on yahoo messenger / napster etc) socially (yelling, whacking them upside the head with the proverbial "clue bat", etc). More seriously, an "acceptable use policy" on the corporate network should help. That, and keep a track of active connections at any given time. If someone looks to be bogging down the network, just put a deny rule in for his IP ... he can still get his mail from the LAN based mailserver, but he won't be able to surf / chat on messenger etc. Yes, I know this is intrusive, etc etc - but it is a damn sight better than firewalling everything in sight. It is also much more convenient when someone gets his box infected with Hybris / Nimda or other flavor-of-the-month windows virus, and is pumping out 500 kb virus mails with sensitive corporate documents (of course, in ms word format) attached as the virus payload. Phew, now I'm out of that environment, out of that nightmare ... wish you luck doing all this :) -srs -- Suresh Ramasubramanian <----> mallet <at> efn dot org EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin [Linux One Stanza Tip] From : <[EMAIL PROTECTED]> LOST #135 -**< Sub : man2txt >**- To convert man pages to text format (which may be necessary if printouts are necessary, or you want to clip a large section): $man [progname] | col -b > progname.man.txt _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
