North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Blocking Internet Gaming

  • From: Dominic J. Eidson
  • Date: Sun Jan 06 20:46:50 2002

On Sun, 6 Jan 2002, Todd Suiter wrote:

> Problem with that is you can spec those ports pretty much at will. This came up
> on the [email protected] list last week. Policy is a good place to
> start. Make it obvious that your org does not approve of this type of thing.
> Then start looking at tcpdump output to find the ports/people, and go from
> there.

There was a similar discussion to this one back when I first joined
NANOG - anyways - to repeat my comment from back then..

I work for a healthcare network - for obvious reasons, we don't allow
incoming connections through our firewall. The interesting part is though,
that we also only allow limited access _out_ through our firewall - mainly
because back in the days when we first got the setup, $$$'s for internet
access were scarce, and in order to keep the traffic at reasonable rates
(not to saturate our connection), we had to limit traffic in some way.

The basic setup is disallow all outbound connections, save ports 20-21,
23, 109/110, 80 (with restiction, explanation follows) and 443.

The restrictions on port 80, is done using Checkpoint's HTTP Client Auth
agent - which authenticates through LDAP into NDS (we also restrict what
users are allowed outbound access - not everybody at a hospital needs
internet access).

This setup tends to stop most internet-based games ('cept http-based ones)
- and allows for nice monitoring of the remaining (allowed traffic). (We
log all traffic going through the firewall - And don't give me any grief
about violation of privacy.. big deal.)


-- 
Dominic J. Eidson
                                        "Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/              http://www.the-infinite.org/~dominic/