|
Grex > Coop13 > #299: Policy issues regarding blocking outgoing network access | |
|
| Author |
Message |
nharmon
|
|
Policy issues regarding blocking outgoing network access
| 
Dec 3 02:10 UTC 2005 |
I've created this item for the discussion of some of the ramifications
of using squid to filter outgoing web traffic from Grex. The last BoD
meeting minutes talk about using a seperate system as a sort of bastion
host for grex...and then running squid on that system. Theoretically,
all outgoing connections would have to be through that system's squid
program.
|
| 14 responses total. |
nharmon
|
|
response 1 of 14:
|
Dec 3 02:13 UTC 2005 |
My first thought is this: Who will decide what gets filtered? I would be
concerned if there was not at least a written policy regarding only
filtering malicious attacks, and not say, "inappropriate" websites.
|
naftee
|
|
response 2 of 14:
|
Dec 3 04:42 UTC 2005 |
I'm sure your second thought is how your brain is still reeling from that
thought #1.
|
remmers
|
|
response 3 of 14:
|
Dec 3 14:52 UTC 2005 |
When Grex was in its previous location, we ran squid. I wasn't involved
in either the setup or maintenance of it, so I can't speak from
first-hand knowledge, but I believe that it was used to prevent HTTP
exploits. That's a reasonable and responsible thing for Grex to do.
I'd oppose using it for content filtering.
|
cross
|
|
response 4 of 14:
|
Dec 3 15:58 UTC 2005 |
I wonder why it has to be run on a separate machine.
|
nharmon
|
|
response 5 of 14:
|
Dec 3 18:38 UTC 2005 |
Steve wants a seperate machine that can act like a firewall. Which would
put Grex into its own DMZ. And then if we also ran squid to prevent HTTP
exploits, I suppose it would not HAVE TO run on Grex, but could be run
on the other machine to free up resources on Grex.
|
cross
|
|
response 6 of 14:
|
Dec 3 18:54 UTC 2005 |
It's not clear to me that grex is resource constrained anymore; at least
not as far as things like squid go. What's more, we've already got pf;
any firewall configuration *could* be done on a single machine. Whether
that's the *best* way to go is debatable, but it is possible.
|
tsty
|
|
response 7 of 14:
|
Dec 4 07:22 UTC 2005 |
fwiw - i favor separate b0xen .. always have; always will. live with it.
|
nharmon
|
|
response 8 of 14:
|
Dec 4 13:38 UTC 2005 |
Boxen? Is that plural for box? Kinda like oxen is plural for Ox?
Boss! :)
|
kingjon
|
|
response 9 of 14:
|
Dec 4 13:49 UTC 2005 |
:)
Actually, Boxen is the imaginary country created by C.S. Lewis and his brother
as children, combining Animal-Land and India.
|
sabre
|
|
response 10 of 14:
|
Dec 10 16:20 UTC 2005 |
re#8 No....it's an english dialect called scripkidiot.
|
nharmon
|
|
response 11 of 14:
|
Dec 10 16:41 UTC 2005 |
HAHAHAH
|
tsty
|
|
response 12 of 14:
|
Dec 14 16:36 UTC 2005 |
re #8 ...yes, plural ... re #10 ... you appear as such a t{xtd0|t .../sigh
|
naftee
|
|
response 13 of 14:
|
Dec 14 23:22 UTC 2005 |
/unlucky
|
jesuit
|
|
response 14 of 14:
|
May 17 02:16 UTC 2006 |
TROGG IS DAVID BLAINE
|