From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] IP2P & Skype question
Date: Wed, 27 Apr 2005 05:22:13 +0000 [thread overview]
Message-ID: <426F2185.4040009@riverviewtech.net> (raw)
In-Reply-To: <426CEBC7.9050505@pbltd.net>
> Yes, I too have been reading these things asking myself why one would
> allow users such open access. One reason, of course, is that it is
> difficult to allow some http but not other, so if the port is 80, it
> pretty much has to be OK. So how would squid (or anything else except
> perhaps Level 7) know that this particular connection is A Bad Thing?
One word, er name, Squid (Caching Proxy). Squid is *WONDERFUL* Squid has saved my life *SO* many times. The ACL system, though difficult to understand at first, is extremely flexible and easy to work with once you get down Squid's syntax. I can easily define an ACL as such:
acl my_acl_name dstdomain .domain_I_dont_like.tld
http_access deny my_acl_name
Squid works completely inside of the HTTP (layer 7) protocol, or FTP protocol, or many other protocols. These are just some of the benefits of using an application layer gateway.
> I have been successful at limiting the number of FTP connections per
> user using iptables' connlimit and helper. That's where I'd start. And
> if three turned out to be too many, I'd reduce connlimit to 2 for HTTP
> and 1 for FTP.
> iptables -N HTTP
> iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP
> iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A HTTP -j RETURN
If the traffic that you are trying to connlimit is internal to your LAN I would recommend that you REJECT the traffic as this will prevent the client user agents from having to time out.
> iptables -A FORWARD -p tcp --dport 80 -j HTTP
> iptables -A FORWARD -p tcp --sport 80 -j HTTP
> iptables -A FORWARD -m helper --helper ftp -j HTTP
>
> In conjunction with my ACL (posted here a while back; it limits specific
> users to specific ports), the above would not be total deny, but it sure
> would put a dent in abuse.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
prev parent reply other threads:[~2005-04-27 5:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-25 13:08 [LARTC] IP2P & Skype question Gary Smith
2005-04-25 14:20 ` Andreas Klauer
2005-04-25 14:33 ` Justin Schoeman
2005-04-25 14:57 ` Andreas Klauer
2005-04-25 15:35 ` Gary Smith
2005-04-25 18:22 ` Taylor, Grant
2005-04-26 7:29 ` Michael Renzmann
2005-04-26 7:38 ` Taylor, Grant
2005-04-26 12:52 ` Gary Smith
2005-04-26 22:02 ` Taylor, Grant
2005-04-26 23:11 ` Andy Furniss
2005-04-27 4:29 ` gypsy
2005-04-27 5:08 ` Taylor, Grant
2005-04-27 5:22 ` Taylor, Grant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=426F2185.4040009@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.