Re: [fw-wiz] (no subject)

On Mon, 2006-06-19 at 22:18 -0400, Paul D. Robertson wrote:
I've yet to meet a protocol designer who thought "Oh, people won't want to
run my thing, I should make it easy to stop it."


actually, I shouldn't have said protocol but setup or design. The issue
here is not the protocol. The problem was:

"Does anyone have any ideas for blocking Google's new Google Talk
client without blocking the Google web site? The IP addresses that the
Talk client uses are the same addresses that resolve for Google."

So if the Google search engine and the Google Talk thingy use the same
IP, and you can't block by IP the Talk stuff without affecting the
Search web site, what does that tell you about their setup? Was this
purely a coincidence, or was that *by design*? It seems it's the later.
If Google Talk was using a different IP address than the Search Engine,
the correct response would have been "Just block IP x.y.z.c". Instead
the response was something more convoluted to filter name resolution.

Mind you, that was an authoritative answer from Google, not from some
helpful soul trying to stop the Google talk. *That's* what caused a
spray of coffee over the table.

That's been true of every new protocol in the last 6 or 7 years, if not
longer. If you're going to let users install things, you're going to have
to deal with it. Software restriction policies, ACLs, etc. You can't
give up control of the end platform, then expect to get decent security
by blocking arbitrary ports.

Again, that wasn't the point here. The issue was that Google is
providing two types of services on the same address in such a way that
you have to jump through hoops in order to disable one. I'm sure Google
is large enough that they can afford more than one IP address. :)

But looky here! Today I get:

# host is an alias for has address is an alias for is an alias for

# host is an alias for has address has address is an alias for is an alias for

So it would appear that the initial reports are wrong and the IP
addresses are indeed different. Hopefully you are able to block all
distributed IP's for while leaving at least some for unblocked so you can use the search engine.

And if that is still not possible, if Google makes it so hard to prevent
access to certain services without affecting the search engine, then you
can always just not use Google and use another search engine instead.

People seem to forget that they have a choice. They should resist
getting wrestled into submission my mega-corporations. Sadly, most folks
"go with the flow" and buy secondary and tertiary programs designed to
keep faulty and broken primary programs running. They do whatever told
by large corporations so that these can continue to profit.

But again, off topic. If no one sees something wrong with a vendor
giving a lame-duck answer to a problem or challenge that is presented on
purpose or by design, then perhaps ignorance is bliss.

Feel free to continue telling me how I should bow to protocols and just
go with it since we lost the fight anyway. I won't :)


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

firewall-wizards mailing list