Re: ICMP nukes?

[ccdes () ccdes princeton nj us (Carl Corey)]

> > Also, is there a way to block people running FSP without blocking all
> > udp packets or relying on blocking udp to certain ports?  I may not
> > be around full-time on this system, so it is conceivable for a user
> > to set up their own fsp server in their home dir and not have me
> > notice it for a few weeks or so.
>
> Why would you _want_ to block that?  That doesn't put your system at
> any more risk than it already is by allowing said user connectivity to
> the world of any sort, as far as I can see.

I don't want people to pirate to/from my machine.  It's a waste of
diskspace to have all 35 megs of the latest game taking up space I could be
using for increased functionality (perl, etc)

> Unless you have some users connecting via, say, dialup, that you want
> to restrict from all network access of any sort; in this case, the only
> effective measures I can see are either (a) a sufficiently restricted
> environment that they can't import arbitrary programs or (b) having the
> kernel refuse network services to them unconditionally.

I will have users via dialup but network services are important, including
being able to ftp to and telnet to my site.  I was hoping that the router
could screen packets by protocol type.  Perhaps I could write a daemon to
determine what any UDP listeners are and report back.