Allow particular website/port

Allow particular website/port

[spdesai]

Hi
 
I have one linux machine with two NIC cards. One is connected to internet and 
one is private PC. Below is my IP configuration
 
I have enable ip_forward to 1 in linux machine as well as donw masqared in 
linux.

I can browse the internet as well from window machine.

Now I want to allow/restricted my window machine to access/deny particular 
site/block/messanger ...

i have tried with FORWARD chain but..it restricted all HTTP traffic which i 
dont want.

So pl.  give me the solution.

Thanks in advance

Suhag

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

Re: Allow particular website/port

[Jason Opperisano]

On Thu, 2005-02-10 at 14:34, spdesai@gnvfc.net wrote:
> Hi
>  
> I have one linux machine with two NIC cards. One is connected to internet and 
> one is private PC. Below is my IP configuration
>  
> I have enable ip_forward to 1 in linux machine as well as donw masqared in 
> linux.
> 
> I can browse the internet as well from window machine.
> 
> Now I want to allow/restricted my window machine to access/deny particular 
> site/block/messanger ...
> 
> i have tried with FORWARD chain but..it restricted all HTTP traffic which i 
> dont want.
> 
> So pl.  give me the solution.

squid.

-j

--
"Mr. Simpson, why are you here?
 Don't say revenge! Don't say revenge!
 Revenge?
 That's it! I'm outta here!"
	--The Simpsons

Re: Allow particular website/port

[Askar]

The task of blocking certain sites is definitly suited for "squid" as
jason suggest and pls don't *insists* :)
you can block messengers via iptables if you know which ports they are
using for example

## blocking MSN
iptables -A FORWARD -p tcp --dport 1863 -j DROP
##block yahoo
iptables -A FORWARD -p tcp --dport 5050 -j DROP

regards


On Fri, 11 Feb 2005 05:58:05 +0530, spdesai@gnvfc.net <spdesai@gnvfc.net> wrote:
> I want to use Netfilter only instead of squid....pl. give me solution through
> netfilter
> 
> Quoting Eric Leblond <eleblond@inl.fr>:
> 
> > use a proxy (squid trasnparent if you want) ... netfilter can not
> > cleanly filter at level.
> >
> > On Fri, 2005-02-11 at 01:04 +0530, spdesai@gnvfc.net wrote:
> > > Hi
> > >
> > > I have one linux machine with two NIC cards. One is connected to internet
> > and
> > > one is private PC. Below is my IP configuration
> > >
> > > I have enable ip_forward to 1 in linux machine as well as donw masqared in
> >
> > > linux.
> > >
> > > I can browse the internet as well from window machine.
> > >
> > > Now I want to allow/restricted my window machine to access/deny particular
> >
> > > site/block/messanger ...
> > >
> > > i have tried with FORWARD chain but..it restricted all HTTP traffic which i
> >
> > > dont want.
> > >
> > > So pl.  give me the solution.
> > >
> > > Thanks in advance
> > >
> > > Suhag
> > >
> > > -------------------------------------------------
> > > This mail sent through IMP: http://horde.org/imp/
> > >
> > >
> >
> >
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> 
> 


-- 
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)

Re: Allow particular website/port

[Marcin Giedz]

Dnia czwartek, 10 lutego 2005 20:34, spdesai@gnvfc.net napisa³:
> Hi
>
> I have one linux machine with two NIC cards. One is connected to internet
> and one is private PC. Below is my IP configuration
>
> I have enable ip_forward to 1 in linux machine as well as donw masqared in
> linux.
>
> I can browse the internet as well from window machine.
>
> Now I want to allow/restricted my window machine to access/deny particular
> site/block/messanger ...
>
> i have tried with FORWARD chain but..it restricted all HTTP traffic which i
> dont want.
>
> So pl.  give me the solution.

Iptables is not a solution, check squid

Marcin

>
> Thanks in advance
>
> Suhag
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/

Re: Allow particular website/port

[spdesai]

Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)

I have tried to restrict particular website through IPTABLE and its working 
file .i have use below rules for that..

Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules as 
per below order only...

iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j DROP

and my LAN machine(192.168.1.2) can open only www.ndtv.com,www.cnn.com 
websites ..not any other..

pl. give yr comments about my rules....is it correct/valid/reliable ..and pl 
let me know why u not prefer to use IPTABLES for Allow particular websites.

Waiting for yr replyyyyy..

Thanks 
SUhag.



Quoting Askar <askarali@gmail.com>:

> The task of blocking certain sites is definitly suited for "squid" as
> jason suggest and pls don't *insists* :)
> you can block messengers via iptables if you know which ports they are
> using for example
> 
> ## blocking MSN
> iptables -A FORWARD -p tcp --dport 1863 -j DROP
> ##block yahoo
> iptables -A FORWARD -p tcp --dport 5050 -j DROP
> 
> regards
> 
> 
> On Fri, 11 Feb 2005 05:58:05 +0530, spdesai@gnvfc.net <spdesai@gnvfc.net>
> wrote:
> > I want to use Netfilter only instead of squid....pl. give me solution
> through
> > netfilter
> > 
> > Quoting Eric Leblond <eleblond@inl.fr>:
> > 
> > > use a proxy (squid trasnparent if you want) ... netfilter can not
> > > cleanly filter at level.
> > >
> > > On Fri, 2005-02-11 at 01:04 +0530, spdesai@gnvfc.net wrote:
> > > > Hi
> > > >
> > > > I have one linux machine with two NIC cards. One is connected to
> internet
> > > and
> > > > one is private PC. Below is my IP configuration
> > > >
> > > > I have enable ip_forward to 1 in linux machine as well as donw masqared
> in
> > >
> > > > linux.
> > > >
> > > > I can browse the internet as well from window machine.
> > > >
> > > > Now I want to allow/restricted my window machine to access/deny
> particular
> > >
> > > > site/block/messanger ...
> > > >
> > > > i have tried with FORWARD chain but..it restricted all HTTP traffic
> which i
> > >
> > > > dont want.
> > > >
> > > > So pl.  give me the solution.
> > > >
> > > > Thanks in advance
> > > >
> > > > Suhag
> > > >
> > > > -------------------------------------------------
> > > > This mail sent through IMP: http://horde.org/imp/
> > > >
> > > >
> > >
> > >
> > 
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> > 
> > 
> 
> 
> -- 
> (after bouncing head on desk for days trying to get mine working, I'll make
> your life a little easier)
> 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

Re: Allow particular website/port

[Askar]

For example www.hotmail.com

host www.hotmail.com
www.hotmail.com is an alias for www.hotmail.com.nsatc.net.
www.hotmail.com.nsatc.net has address 166.63.208.155
www.hotmail.com.nsatc.net has address 207.68.172.241
www.hotmail.com.nsatc.net has address 208.173.208.152

Now insert all the seperate ip addresses so trafic to
www.hotmail.com is blocked.

However, when the ip address change, people can go to www.hotmail.com
again, without notice.

I would setup squid - http://www.squid-cache.org and configure
your client computers to use it. Then you can easily control
access to anything.

For example, to deny access to hotmail.com:

acl nohotmail1 dstdomain .hotmail.com
http_access deny nohotmail1

acl nohotmail2 dstdomain .hotmail.com.nsatc.net
http_access deny nohotmail2

regards

Askar 
On Sun, 13 Feb 2005 12:23:58 +0530, spdesai@gnvfc.net <spdesai@gnvfc.net> wrote:
> 
> Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)
> 
> I have tried to restrict particular website through IPTABLE and its working
> file .i have use below rules for that..
> 
> Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules as
> per below order only...
> 
> iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 80 -j DROP
> 
> and my LAN machine(192.168.1.2) can open only www.ndtv.com,www.cnn.com
> websites ..not any other..
> 
> pl. give yr comments about my rules....is it correct/valid/reliable ..and pl
> let me know why u not prefer to use IPTABLES for Allow particular websites.
> 
> Waiting for yr replyyyyy..
> 
> Thanks
> SUhag.
> 
> 
> Quoting Askar <askarali@gmail.com>:
> 
> > The task of blocking certain sites is definitly suited for "squid" as
> > jason suggest and pls don't *insists* :)
> > you can block messengers via iptables if you know which ports they are
> > using for example
> >
> > ## blocking MSN
> > iptables -A FORWARD -p tcp --dport 1863 -j DROP
> > ##block yahoo
> > iptables -A FORWARD -p tcp --dport 5050 -j DROP
> >
> > regards
> >
> >
> > On Fri, 11 Feb 2005 05:58:05 +0530, spdesai@gnvfc.net <spdesai@gnvfc.net>
> > wrote:
> > > I want to use Netfilter only instead of squid....pl. give me solution
> > through
> > > netfilter
> > >
> > > Quoting Eric Leblond <eleblond@inl.fr>:
> > >
> > > > use a proxy (squid trasnparent if you want) ... netfilter can not
> > > > cleanly filter at level.
> > > >
> > > > On Fri, 2005-02-11 at 01:04 +0530, spdesai@gnvfc.net wrote:
> > > > > Hi
> > > > >
> > > > > I have one linux machine with two NIC cards. One is connected to
> > internet
> > > > and
> > > > > one is private PC. Below is my IP configuration
> > > > >
> > > > > I have enable ip_forward to 1 in linux machine as well as donw masqared
> > in
> > > >
> > > > > linux.
> > > > >
> > > > > I can browse the internet as well from window machine.
> > > > >
> > > > > Now I want to allow/restricted my window machine to access/deny
> > particular
> > > >
> > > > > site/block/messanger ...
> > > > >
> > > > > i have tried with FORWARD chain but..it restricted all HTTP traffic
> > which i
> > > >
> > > > > dont want.
> > > > >
> > > > > So pl.  give me the solution.
> > > > >
> > > > > Thanks in advance
> > > > >
> > > > > Suhag
> > > > >
> > > > > -------------------------------------------------
> > > > > This mail sent through IMP: http://horde.org/imp/
> > > > >
> > > > >
> > > >
> > > >
> > >
> > > -------------------------------------------------
> > > This mail sent through IMP: http://horde.org/imp/
> > >
> > >
> >
> >
> > --
> > (after bouncing head on desk for days trying to get mine working, I'll make
> > your life a little easier)
> >
> >
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: Allow particular website/port

[spdesai]

Hello Askar

I fully agree with u..IPTABLE can be use when law security required..

thanks for yr explanation

-suhag.


Quoting Askar <askarali@gmail.com>:

> For example www.hotmail.com
> 
> host www.hotmail.com
> www.hotmail.com is an alias for www.hotmail.com.nsatc.net.
> www.hotmail.com.nsatc.net has address 166.63.208.155
> www.hotmail.com.nsatc.net has address 207.68.172.241
> www.hotmail.com.nsatc.net has address 208.173.208.152
> 
> Now insert all the seperate ip addresses so trafic to
> www.hotmail.com is blocked.
> 
> However, when the ip address change, people can go to www.hotmail.com
> again, without notice.
> 
> I would setup squid - http://www.squid-cache.org and configure
> your client computers to use it. Then you can easily control
> access to anything.
> 
> For example, to deny access to hotmail.com:
> 
> acl nohotmail1 dstdomain .hotmail.com
> http_access deny nohotmail1
> 
> acl nohotmail2 dstdomain .hotmail.com.nsatc.net
> http_access deny nohotmail2
> 
> regards
> 
> Askar 
> On Sun, 13 Feb 2005 12:23:58 +0530, spdesai@gnvfc.net <spdesai@gnvfc.net>
> wrote:
> > 
> > Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)
> > 
> > I have tried to restrict particular website through IPTABLE and its
> working
> > file .i have use below rules for that..
> > 
> > Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules
> as
> > per below order only...
> > 
> > iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j
> ACCEPT
> > iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j
> ACCEPT
> > iptables -A FORWARD -p tcp --dport 80 -j DROP
> > 
> > and my LAN machine(192.168.1.2) can open only www.ndtv.com,www.cnn.com
> > websites ..not any other..
> > 
> > pl. give yr comments about my rules....is it correct/valid/reliable ..and
> pl
> > let me know why u not prefer to use IPTABLES for Allow particular
> websites.
> > 
> > Waiting for yr replyyyyy..
> > 
> > Thanks
> > SUhag.
> > 
> > 
> > Quoting Askar <askarali@gmail.com>:
> > 
> > > The task of blocking certain sites is definitly suited for "squid" as
> > > jason suggest and pls don't *insists* :)
> > > you can block messengers via iptables if you know which ports they are
> > > using for example
> > >
> > > ## blocking MSN
> > > iptables -A FORWARD -p tcp --dport 1863 -j DROP
> > > ##block yahoo
> > > iptables -A FORWARD -p tcp --dport 5050 -j DROP
> > >
> > > regards
> > >
> > >
> > > On Fri, 11 Feb 2005 05:58:05 +0530, spdesai@gnvfc.net
> <spdesai@gnvfc.net>
> > > wrote:
> > > > I want to use Netfilter only instead of squid....pl. give me solution
> > > through
> > > > netfilter
> > > >
> > > > Quoting Eric Leblond <eleblond@inl.fr>:
> > > >
> > > > > use a proxy (squid trasnparent if you want) ... netfilter can not
> > > > > cleanly filter at level.
> > > > >
> > > > > On Fri, 2005-02-11 at 01:04 +0530, spdesai@gnvfc.net wrote:
> > > > > > Hi
> > > > > >
> > > > > > I have one linux machine with two NIC cards. One is connected to
> > > internet
> > > > > and
> > > > > > one is private PC. Below is my IP configuration
> > > > > >
> > > > > > I have enable ip_forward to 1 in linux machine as well as donw
> masqared
> > > in
> > > > >
> > > > > > linux.
> > > > > >
> > > > > > I can browse the internet as well from window machine.
> > > > > >
> > > > > > Now I want to allow/restricted my window machine to access/deny
> > > particular
> > > > >
> > > > > > site/block/messanger ...
> > > > > >
> > > > > > i have tried with FORWARD chain but..it restricted all HTTP
> traffic
> > > which i
> > > > >
> > > > > > dont want.
> > > > > >
> > > > > > So pl.  give me the solution.
> > > > > >
> > > > > > Thanks in advance
> > > > > >
> > > > > > Suhag
> > > > > >
> > > > > > -------------------------------------------------
> > > > > > This mail sent through IMP: http://horde.org/imp/
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > > -------------------------------------------------
> > > > This mail sent through IMP: http://horde.org/imp/
> > > >
> > > >
> > >
> > >
> > > --
> > > (after bouncing head on desk for days trying to get mine working, I'll
> make
> > > your life a little easier)
> > >
> > >
> > 
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> > 
> > 
> 
> 
> -- 
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
> 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

Re: Allow particular website/port

[Jason Opperisano]

On Sun, 2005-02-13 at 01:53, spdesai@gnvfc.net wrote:
> Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)
> 
> I have tried to restrict particular website through IPTABLE and its working 
> file .i have use below rules for that..
> 
> Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules as 
> per below order only...
> 
> iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 80 -j DROP

ok--this is exactly why *i* personally don't think this is a good way to
do this.  i'm not trying to say i'm right, but let me at least explain
why i feel the way i do.  let's go to http://www.cnn.com/ shall we?

first off; at this moment in time, www.cnn.com resolves to:

  64.236.16.20
  64.236.16.52
  64.236.16.84
  64.236.16.116
  64.236.24.4
  64.236.24.12
  64.236.24.20
  64.236.24.28

your rule that specifies "-d www.cnn.com" will resolve that name to IP
address(es) at the time the rule is loaded.  if cnn decides to
add/change the IP's for that FQDN--you will need to reload your rules to
pick up the change.  IMHO:  strike one.

k--now we have our 8 filter rules in place for those IP's--let's
actually fire up our trusty web browser (mosaic...natch).  when i browse
to http://www.cnn.com/ i make requests to:

  www.cnn.com
  i.a.cnn.net
  i.cnn.net
  cnn.dyn.cnn.com

we already have the first one accounted for in our filter rules
(obviously)--so now, i.a.cnn.net (at this moment in time) resolves to:

  64.236.40.64
  64.236.40.5
  64.236.40.8
  64.236.40.21
  64.236.40.32
  64.236.40.46
  64.236.40.53
  64.236.40.63

note that these are akamai addresses and they *will* change frequently.

next up is i.cnn.net, which currently resolves to:

  64.236.16.138
  64.236.16.139
  64.236.24.136
  64.236.24.137
  64.236.24.138
  64.236.24.139
  64.236.16.136
  64.236.16.137

and lastly, we have cnn.dyn.cnn.com (which judging from its name is
probably a dynamic; i.e. changing, address):

  64.236.22.20
  64.236.22.21
  64.236.29.20
  64.236.29.21

alright--so to allow access to cnn.com requires 28 rules to allow access
to 28 IP addresses (generated from the 4 -d $FQDN rules) that can change
whenever they gosh darn feel like and it's up to me to figure all this
out...i s'pose we could just allow access to the entire 64.236.0.0/16
net and be done, right?  one rule, *should* cover whatever IP changes
they decide, right?  it *is* kind of a shame that we would be allowing
web browsing into a network owned by AOL though, huh?  sorta defeats the
purpose.  IMHO:  strike two

let's also keep in mind--i have not clicked through anything on the site
yet (and i don't plan to, as this is getting a bit ridiculous), but i'm
guessing i'd need to analyze more traffic, and add more hosts if i
wanted to watch one of their videos, or listen to their radio etc...

but there no easier way to do this, right?  when all you have is a
hammer, every problem starts to look like a nail, or something like
that.

i personally am not willing to go through that much effort for my users
(or myself, actually).  i also prefer not not implement solutions that
require constant care and feeding like the above.  not when i can add:

  acl cnn dstdomain .cnn.com .cnn.net
  http_access allow cnn

to my squid.conf and move on with my life.

-j

ps - i'm aware there was never a strike three.  if you want to put in
the effort to do this, more power to you.  in my experience people that
start down this path either (a) give up on it and decide to use a
app-level filter (b) give up on it and just allow everything or (c) let
it rot away to the point where users lose faith that the admin has any
clue as to what he/she is doing.

--
"It takes two to lie. One to lie and one to listen."
	--The Simpsons

Re: Allow particular website/port

[spdesai]

Thank u so much for yr detail explanation..


Quoting Jason Opperisano <opie@817west.com>:

> On Sun, 2005-02-13 at 01:53, spdesai@gnvfc.net wrote:
> > Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)
> > 
> > I have tried to restrict particular website through IPTABLE and its working
> 
> > file .i have use below rules for that..
> > 
> > Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules
> as 
> > per below order only...
> > 
> > iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j
> ACCEPT
> > iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j
> ACCEPT
> > iptables -A FORWARD -p tcp --dport 80 -j DROP
> 
> ok--this is exactly why *i* personally don't think this is a good way to
> do this.  i'm not trying to say i'm right, but let me at least explain
> why i feel the way i do.  let's go to http://www.cnn.com/ shall we?
> 
> first off; at this moment in time, www.cnn.com resolves to:
> 
>   64.236.16.20
>   64.236.16.52
>   64.236.16.84
>   64.236.16.116
>   64.236.24.4
>   64.236.24.12
>   64.236.24.20
>   64.236.24.28
> 
> your rule that specifies "-d www.cnn.com" will resolve that name to IP
> address(es) at the time the rule is loaded.  if cnn decides to
> add/change the IP's for that FQDN--you will need to reload your rules to
> pick up the change.  IMHO:  strike one.
> 
> k--now we have our 8 filter rules in place for those IP's--let's
> actually fire up our trusty web browser (mosaic...natch).  when i browse
> to http://www.cnn.com/ i make requests to:
> 
>   www.cnn.com
>   i.a.cnn.net
>   i.cnn.net
>   cnn.dyn.cnn.com
> 
> we already have the first one accounted for in our filter rules
> (obviously)--so now, i.a.cnn.net (at this moment in time) resolves to:
> 
>   64.236.40.64
>   64.236.40.5
>   64.236.40.8
>   64.236.40.21
>   64.236.40.32
>   64.236.40.46
>   64.236.40.53
>   64.236.40.63
> 
> note that these are akamai addresses and they *will* change frequently.
> 
> next up is i.cnn.net, which currently resolves to:
> 
>   64.236.16.138
>   64.236.16.139
>   64.236.24.136
>   64.236.24.137
>   64.236.24.138
>   64.236.24.139
>   64.236.16.136
>   64.236.16.137
> 
> and lastly, we have cnn.dyn.cnn.com (which judging from its name is
> probably a dynamic; i.e. changing, address):
> 
>   64.236.22.20
>   64.236.22.21
>   64.236.29.20
>   64.236.29.21
> 
> alright--so to allow access to cnn.com requires 28 rules to allow access
> to 28 IP addresses (generated from the 4 -d $FQDN rules) that can change
> whenever they gosh darn feel like and it's up to me to figure all this
> out...i s'pose we could just allow access to the entire 64.236.0.0/16
> net and be done, right?  one rule, *should* cover whatever IP changes
> they decide, right?  it *is* kind of a shame that we would be allowing
> web browsing into a network owned by AOL though, huh?  sorta defeats the
> purpose.  IMHO:  strike two
> 
> let's also keep in mind--i have not clicked through anything on the site
> yet (and i don't plan to, as this is getting a bit ridiculous), but i'm
> guessing i'd need to analyze more traffic, and add more hosts if i
> wanted to watch one of their videos, or listen to their radio etc...
> 
> but there no easier way to do this, right?  when all you have is a
> hammer, every problem starts to look like a nail, or something like
> that.
> 
> i personally am not willing to go through that much effort for my users
> (or myself, actually).  i also prefer not not implement solutions that
> require constant care and feeding like the above.  not when i can add:
> 
>   acl cnn dstdomain .cnn.com .cnn.net
>   http_access allow cnn
> 
> to my squid.conf and move on with my life.
> 
> -j
> 
> ps - i'm aware there was never a strike three.  if you want to put in
> the effort to do this, more power to you.  in my experience people that
> start down this path either (a) give up on it and decide to use a
> app-level filter (b) give up on it and just allow everything or (c) let
> it rot away to the point where users lose faith that the admin has any
> clue as to what he/she is doing.
> 
> --
> "It takes two to lie. One to lie and one to listen."
> 	--The Simpsons
> 
> 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/