[AusNOG] Public Internet Access Policies

Beeson, Ayden ABeeson at csu.edu.au
Wed Oct 8 12:45:37 EST 2014


We run internal DNS servers here, then filter anything else in or out, but if you were handing out openDNS then I’d say allowing that and blocking everything else would be completely acceptable too.

We also run this through a DPI device and do it based on signature, not port, so it wouldn’t work on any other port.

I see that as perfectly acceptable for something like a public internet service as well, if somebody is looking to use another DNS server for some obscure reason it can’t be something that you necessarily want to allow.

Other than that, the obvious basic things to block (which you may have done) would be SMTP in, DB server connections in, HTTP / HTTPS server ports inbound, SMB, AFP etc. If you cover those nobody is going to use your service for any hosting of anything and you can then use your whitelisting and blacklisting to control specific websites you don’t want to allow.

Happy to detail a more specific block list if you want, we have a fairly decent list of “standard” blocked services here, some in, some out, some both in and out.

A good DPI enforcement engine can do this all with a few simple rules, otherwise you might be looking at some ACLs etc. but this is just the basic coverall stuff…

I’m all for any public internet services, a few simple blocks and a good fair use / acceptable use policy and you should be ok.

Thanks,
Ayden Beeson

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of David Beveridge
Sent: Wednesday, 8 October 2014 12:29 PM
To: Andrew Yager
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Public Internet Access Policies

By default my DHCP server hands out the OpenDNS name servers for name resolution.
I have decided which categories that my client IP address is allow to look up and access without being redirected to my custom error pages.

I assume that someone who really wants to access porn sites or whatever will have to setup their own DNS resolver IP address instead of the ones I gave them by DHCP.

I suppose I could always block port 53 outbound if I wanted to be a real prick, but then someone would just setup a name service on some other port or use a VPN or whatever.

My idea is that by default with normal user settings some things are blocked for the average joe.  I've done my bit.

dave

On Wed, Oct 8, 2014 at 10:05 AM, Andrew Yager <andrew at rwts.com.au<mailto:andrew at rwts.com.au>> wrote:
Hi,

We’re currently developing a public internet access solution for a public space, and one of the things we’re considering is content filtering as part of the solution.

Obviously the usual caveats apply around success, ability to circumvent, etc, but given all of these caveats, what are people’s general opinion on:

- is it a good idea to do this in a public space (think children, families, etc all around)
- what sort of filtering have you implemented in the past? We are looking at a solution that would do simple category filtering at the moment, with the option to blacklist and whitelist particular URLs
- what sort of categories would you generally block?

I’m personally of the opinion that it’s a “good idea” in this context although not fool proof.

Thanks,
Andrew

--
Andrew Yager, Managing Director   MACS (Snr) CP BCompSc MCP
Real World Technology Solutions Pty Ltd - IT people you can trust
ph: 1300 798 718 or (02) 9037 0500
fax: (02) 9037 0591
http://www.rwts.com.au/

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


[cid:csu-logo4da5.bmp]<http://www.csu.edu.au/>

|   ALBURY-WODONGA   |   BATHURST   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ONTARIO   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

________________________________
LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.

Charles Sturt University in Australia<http://www.csu.edu.au> The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Charles Sturt University in Ontario<http://www.charlessturt.ca/> 860 Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: www.peqab.ca<http://www.peqab.ca>

[cid:anniversay2c76.bmp]

Consider the environment before printing this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141008/4068ae31/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: csu-logo4da5.bmp
Type: image/bmp
Size: 37976 bytes
Desc: csu-logo4da5.bmp
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141008/4068ae31/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anniversay2c76.bmp
Type: image/bmp
Size: 53864 bytes
Desc: anniversay2c76.bmp
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141008/4068ae31/attachment-0003.bin>


More information about the AusNOG mailing list