nanog mailing list archives
Re: Firewalls - Ease of Use and Maintenance?
From: Joe Greco <jgreco () ns sol net>
Date: Wed, 9 Nov 2011 08:00:01 -0600 (CST)
On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:An important feature lacking for now as far as I know is content/web filtering especially for corporates wishing to block inappropriate/time wasting content like facebook.1. That's not a firewall function. That's a censorship function.
A "firewall" is pretty much a censorship function, you're using it to disallow certain types of traffic on your network. It's simply a matter of what layer you find most convenient to block things... a firewall is better closer to the bottom of the OSI layer model, a proxy is better closer to the top of the OSI layer model. Is it "censorship" not to want unwanted connection attempts to our gear, and block unsolicited TCP connections inbound? Is it "censorship" not to want unwanted exploit attempts to our gear, and run everything through ClamAV, and use blocklists to prevent users inadvertently pulling content from known malware sites? There's no functional differentiation between blocking content for one reason and blocking it for another. There's certainly a huge difference in the POLICY decisions that drive those blocking decisions, but the technology to do them is essentially identical. You can, after all, block facebook on your firewall at the IP level and I think we would both agree that that is "censorship" but also something a firewall is completely capable of. It's just neater and more practical to do at a higher level, for when facebook changes IP addresses (etc), so a higher level block is really more appropriate.
2. You can of course easily do that via a variety of means, including BOGUS'ing the domains in DNS, blocking port 80 traffic to their network allocations, running an HTTP proxy that blocks them, etc. I presume that any minimally-competent censor could easily devise a first-order solution (using the software packages supplied with OpenBSD) in an afternoon.
It's a little trickier to do in practice. I kind of wish pfSense included such functionality by default, it'd be so killer. :-) Last I checked, it was possible-but-a-fair-bit-of-messing-around. Still, vote++ for pfSense. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- RE: Firewalls - Ease of Use and Maintenance?, (continued)
- RE: Firewalls - Ease of Use and Maintenance? R. Benjamin Kessler (Nov 08)
- Re: Firewalls - Ease of Use and Maintenance? Jonathan Lassoff (Nov 08)
- Re: Firewalls - Ease of Use and Maintenance? Seth Mos (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Tom Hill (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Seth Mos (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Tom Hill (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Tom Hill (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Richard Kulawiec (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Alex Nderitu (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Joe Greco (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Richard Kulawiec (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Joe Greco (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? -Hammer- (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? -Hammer- (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Valdis . Kletnieks (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Joe Greco (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Alex Nderitu (Nov 09)
- RE: Firewalls - Ease of Use and Maintenance? Nathan Eisenberg (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Jonathan Lassoff (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? Nick Hilliard (Nov 09)
- RE: Firewalls - Ease of Use and Maintenance? Nathan Eisenberg (Nov 09)
- Re: Firewalls - Ease of Use and Maintenance? C. Jon Larsen (Nov 09)