|
Well, my school district is nice enough to block
many ports. Just off the top of my head here are the ones they currently
block/filter:
22/tcp
ssh
23/tcp telnet 25/tcp smtp 80/tcp http(filtered via Novell Proxy) 110/tcp pop-3 113/tcp auth 6667/tcp, 6666/tcp, 7000/tcp irc 8080/tcp http-proxy 26000/tcp doom (Also random collection of filesharing ports,
FastTrack network, Gnutella, Napster.. etc..)
Now, I personaly would like them to not block any
of these ports, because no matter what they block, it is possible for a user to
circumvent the blocking. The only thing blocking ports does is create
havoc for legitamite users of the network. Now I will be a hypocryte and
say if they use of anyone service is damaging the network performance enough to
create problems for other users, and it is not a legitamite use, then perhaps
the admins should take action against the users that are using the network
wrongly instead of creating havoc for legitamite users. For example, I use
SSH exstensivly(better than telnet :) ) for connecting to my home server that I
use for much of MyPHPSchools Development. However because they are block
the port, I was forced to simply bind sshd to a higher port, that is not
filtered. This just ilistrates that for a legitamte use, I was forced to
do somthing, that most non-Open Source OS users would not be able todo for
a legitamite use. Another example, is one of the teachers I know wanted to
be able to check his ISPs email at school because he had his students send in an
assignment to his ISP email address. Because of my districts blocking of
pop3 it was impossible to do this.(we can get into web based solutions etc.. but
it was a hassle for a non-technical user).
From my Point of View as End User, and also as the
person every 2nd period that has to go help teachers with problems on their
computers, I find port blocking does nothing but stop non-technical users from
using the network as they normaly would like to. Even though port blocking
may stop some wrongful uses on the network, any fairly competent computer user
can bypass this by a myraid of methods. I think it would be much better
for Network Admins to moniter network traffic and if a user is dirupting the
network using a non-legitamite program, go after the user, and that will make
people shape up. To see this simply look at this quote from http://www.stac.org/projects.php?do=load&file=lbjwww.proj#objectionable
Solution to Tracking Objectionable Content Another PERL script originally conceived by Peter
Jensen, and rewritten by myself, implements an effective solution to limiting
the amount of objectionable content students can obtain over the Internet at LBJ
High School.
The script parses the output from squid and does a
little bit of analysis on the content of the URL. If the URL is deemed
objectionable, the script send an alpha-numeric message to the pager of a
network administrator. The message includes the time, URL, and computer the
request came from. The script decides whether or not a URL is questionable by a
configurable list of rules. The administrator can then confront the student,
decide on the disciplinary action to be taken, and inform any relevant teachers
of the situation.
The biggest benefit of this kind of solution is the
word of mouth of the users. What we witnessed at LBJ was that as soon as we
implemented this script and started to catch students looking at questionable
material, other students started to get the idea that we closely monitor the web
traffic. They really had no idea how we accomplished this, but what they did
know was that if they were caught looking at objectionable content, they would
lose their Internet access. This significantly and quickly reduced the number of
pornographic- and violence-related web pages that people were viewing and forced
the students to start using judgment about the relevance of their web-related
activities to educational goals.
I think that is the best solution I have ever seen
in schools, and wish it was implemented more often instead of blindly blocking
ports.
-Paul Querna
|