[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OT (sort of): Best current practise for "open" access points?
Message Submission Agent - it is SMTP but on a higher port, and is
intended (as I understand it) for traffic from submitters - this means
you can force SMTP AUTH etc. Allowing outbound 25 is just asking for
spammers to waste bandwidth and get my IPs blacklisted.
ok, it's not too hard to configure your MTA so that spammers have no
chance, but that's not the point here.
I was thinking more along the lines of "this list of ports has no real
legitimate use on the wider internet". Think port 445 etc. Even ports
137 et al are useless and you should be using VPNs. VPN traffic is OK -
the source IP will not be one of mine, hence no embarassment.
Then I would go the "normal" way: Deny all traffic and allow the ports
of the wanted traffic, e.g. http/https, spop3, simap, etc.
That's where pf is made for. :)
When I said "open" access, I meant for people / users that you have no
prior relationship. Perhaps I should have said "free restricted access".
I do not want to mandate any form of active proxy or authentication.
Passive proxying (squid etc.) may well be useable.
If your machine performs well enough, you should use squid. There are
several malware-programs that use port 80 traffic.