[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OT (sort of): Best current practise for "open" access points?
Volker Kindermann wrote:
what is MSA?
Message Submission Agent - it is SMTP but on a higher port, and is
intended (as I understand it) for traffic from submitters - this means
you can force SMTP AUTH etc. Allowing outbound 25 is just asking for
spammers to waste bandwidth and get my IPs blacklisted.
I was thinking more along the lines of "this list of ports has no real
legitimate use on the wider internet". Think port 445 etc. Even ports
137 et al are useless and you should be using VPNs. VPN traffic is OK -
the source IP will not be one of mine, hence no embarassment.
blocking common outbound virus traffic,
To distinguish virus traffic from "normal" traffic you need some sort
of application level gateway like squid for http traffic or an MTA for
mail traffic. Pf is great but limited to the header information of the
A solution that worked for me is to use the user_auth feature of pf.
Before authenticating my wireless users may only get DNS information
and ssh to the AP (of course). After authentication there are separate
rules for each user. But this don't protect me from users doing nasty
things with the protocols they are allowed.
Only way doing this is to use application proxies.
When I said "open" access, I meant for people / users that you have no
prior relationship. Perhaps I should have said "free restricted access".
I do not want to mandate any form of active proxy or authentication.
Passive proxying (squid etc.) may well be useable.