<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>We run internal DNS servers here, then filter anything else in or out, but if you were handing out openDNS then I’d say allowing that and blocking everything else would be completely acceptable too.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>We also run this through a DPI device and do it based on signature, not port, so it wouldn’t work on any other port.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>I see that as perfectly acceptable for something like a public internet service as well, if somebody is looking to use another DNS server for some obscure reason it can’t be something that you necessarily want to allow.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Other than that, the obvious basic things to block (which you may have done) would be SMTP in, DB server connections in, HTTP / HTTPS server ports inbound, SMB, AFP etc. If you cover those nobody is going to use your service for any hosting of anything and you can then use your whitelisting and blacklisting to control specific websites you don’t want to allow.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Happy to detail a more specific block list if you want, we have a fairly decent list of “standard” blocked services here, some in, some out, some both in and out.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>A good DPI enforcement engine can do this all with a few simple rules, otherwise you might be looking at some ACLs etc. but this is just the basic coverall stuff…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>I’m all for any public internet services, a few simple blocks and a good fair use / acceptable use policy and you should be ok.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#333333'>Ayden Beeson<i> </i></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> AusNOG [mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>David Beveridge<br><b>Sent:</b> Wednesday, 8 October 2014 12:29 PM<br><b>To:</b> Andrew Yager<br><b>Cc:</b> ausnog@lists.ausnog.net<br><b>Subject:</b> Re: [AusNOG] Public Internet Access Policies<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>By default my DHCP server hands out the OpenDNS name servers for name resolution.<o:p></o:p></p><div><p class=MsoNormal>I have decided which categories that my client IP address is allow to look up and access without being redirected to my custom error pages.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I assume that someone who really wants to access porn sites or whatever will have to setup their own DNS resolver IP address instead of the ones I gave them by DHCP.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I suppose I could always block port 53 outbound if I wanted to be a real prick, but then someone would just setup a name service on some other port or use a VPN or whatever.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>My idea is that by default with normal user settings some things are blocked for the average joe. I've done my bit.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>dave<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Oct 8, 2014 at 10:05 AM, Andrew Yager <<a href="mailto:andrew@rwts.com.au" target="_blank">andrew@rwts.com.au</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal>Hi,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We’re currently developing a public internet access solution for a public space, and one of the things we’re considering is content filtering as part of the solution.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Obviously the usual caveats apply around success, ability to circumvent, etc, but given all of these caveats, what are people’s general opinion on:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- is it a good idea to do this in a public space (think children, families, etc all around)<o:p></o:p></p></div><div><p class=MsoNormal>- what sort of filtering have you implemented in the past? We are looking at a solution that would do simple category filtering at the moment, with the option to blacklist and whitelist particular URLs<o:p></o:p></p></div><div><p class=MsoNormal>- what sort of categories would you generally block?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I’m personally of the opinion that it’s a “good idea” in this context although not fool proof.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Andrew<o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#888888'><br>-- <br>Andrew Yager, Managing Director MACS (Snr) CP BCompSc MCP<br>Real World Technology Solutions Pty Ltd - IT people you can trust<br>ph: 1300 798 718 or (02) 9037 0500<br>fax: (02) 9037 0591<br><a href="http://www.rwts.com.au/" target="_blank">http://www.rwts.com.au/</a><o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div>
<P><A title="Charles Sturt University" href="http://www.csu.edu.au/"><IMG
border=0 alt="Charles Sturt University"
src="cid:csu-logo4da5.bmp"></A></P>
<P
style="FONT-FAMILY: Arial, Helvetica, sans-serif; COLOR: #c42129; FONT-SIZE: 8px">| ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ONTARIO | ORANGE | PORT
MACQUARIE | SYDNEY | WAGGA
WAGGA |</P>
<HR>
<SPAN
style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px; FONT-WEIGHT: bold">LEGAL
NOTICE</SPAN><BR><SPAN
style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px">This email
(and any attachment) is confidential and is intended for the use of the
addressee(s) only. If you are not the intended recipient of this email, you must
not copy, distribute, take any action in reliance on it or disclose it to
anyone. Any confidentiality is not waived or lost by reason of mistaken
delivery. Email should be checked for viruses and defects before opening.
Charles Sturt University (CSU) does not accept liability for viruses or any
consequence which arise as a result of this email transmission. Email
communications with CSU may be subject to automated email filtering, which could
result in the delay or deletion of a legitimate email before it is read at CSU.
The views expressed in this email are not necessarily those of CSU.</SPAN>
<P style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px"><A
style="COLOR: #c42129" href="http://www.csu.edu.au">Charles Sturt University in
Australia</A> The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia
2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA
Provider Number: PV12018 <BR><A style="COLOR: #c42129"
href="http://www.charlessturt.ca/">Charles Sturt University in Ontario</A> 860
Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: <A
style="COLOR: #c42129" href="http://www.peqab.ca">www.peqab.ca</A></P>
<P style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px"><IMG
style="WIDTH: 79px; HEIGHT: 66px" border=0 hspace=0 alt=""
src="cid:anniversay2c76.bmp"
width=124 height=99></P><SPAN
style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px">Consider the
environment before printing this email.</SPAN> <br></body></html>