Re: [SLUG] OT: M$ deals the final blow

From: steve szmidt (steve@szmidt.org)
Date: Wed Sep 15 2004 - 13:13:09 EDT


On Wednesday 15 September 2004 12:34 pm, Chad Perrin wrote:
> Levi Bard wrote:
> >>Make sure that the Windows machine doesn't get used as a zombie or
> >> Typhoid Mary to annoy or infect thousands of other people.
> >
> > I wouldn't worry about it too much. One more would be a drop in the
> > bucket at this point. Or maybe I should say a spit in the hurricane?
>
> I would worry about it, because I'd rather not be part of the problem.
> One more zombie box may not seem to make any difference in the grand
> scheme of things, but one more zombie box can make the difference for
> one individual person, and I'd rather not be responsible for that.
>
> Levi Bard wrote:
> >>Don't you think that's just a tad irresponsible?
> >
> > No. If 100 million people can do it just because they're too lazy to
> > download updates, then one person can do it for the sake of testing.
>
> Can, yes. Should, no. See my above comment: it's irresponsible.

In principle I like Levi's idea.

One way around being part of the problem would of course be to closely monitor
the box and if it is sending out more than is going in, something is probably
wrong.

One way of making this invisible is to install an OpenBSD Firewall Bridge.
It's invisible to the net, but you can monitor traffic and block as you desire
from the console.

You could even have a machine hooked up to a third NIC that gives you the
remote access. (OBSD interface is rather hardcore, so ssh in to it is usually
preferable. You can even use fish: to access it from konqueror, and get a GUI
view.)

Now you can let both test platforms be up and running inside the bridge
simultaniously, and still monitor the traffic safely.

Prepare a couple pf.conf files (firewall config files), or more, which has
different type of blocks already made, to rapidly activate the kind of block
you may want to do. Like port 25 and 80.

Then typing pfctl -f <new config file> will rapdily activate your block. For
the guy on the other side, the server he was in, just disappeared as if
disconnected.

You could possibly write a script that monitored traffic and kill a port which
has too much traffic outbound. Then it would be automatic.

Brighthouse charges $10/mth for an extra dhcp IP. They don't even mind you
having it up only for one day.

You could watch traffic from both quite nicely.

-- 

Steve Szmidt ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:43:24 EDT