[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT (sort of): Best current practise for "open" access points?

Volker Kindermann wrote:

what is MSA?

Message Submission Agent - it is SMTP but on a higher port, and is intended (as I understand it) for traffic from submitters - this means you can force SMTP AUTH etc. Allowing outbound 25 is just asking for spammers to waste bandwidth and get my IPs blacklisted.

blocking common outbound virus traffic,

To distinguish virus traffic from "normal" traffic you need some sort of application level gateway like squid for http traffic or an MTA for mail traffic. Pf is great but limited to the header information of the packets.

I was thinking more along the lines of "this list of ports has no real legitimate use on the wider internet". Think port 445 etc. Even ports 137 et al are useless and you should be using VPNs. VPN traffic is OK - the source IP will not be one of mine, hence no embarassment.

A solution that worked for me is to use the user_auth feature of pf. Before authenticating my wireless users may only get DNS information and ssh to the AP (of course). After authentication there are separate rules for each user. But this don't protect me from users doing nasty things with the protocols they are allowed.

Only way doing this is to use application proxies.

When I said "open" access, I meant for people / users that you have no prior relationship. Perhaps I should have said "free restricted access". I do not want to mandate any form of active proxy or authentication. Passive proxying (squid etc.) may well be useable.