[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT (sort of): Best current practise for "open" access points?



Hi Peter,


Message Submission Agent - it is SMTP but on a higher port, and is intended (as I understand it) for traffic from submitters - this means you can force SMTP AUTH etc. Allowing outbound 25 is just asking for spammers to waste bandwidth and get my IPs blacklisted.

ok, it's not too hard to configure your MTA so that spammers have no chance, but that's not the point here.



I was thinking more along the lines of "this list of ports has no real legitimate use on the wider internet". Think port 445 etc. Even ports 137 et al are useless and you should be using VPNs. VPN traffic is OK - the source IP will not be one of mine, hence no embarassment.

Then I would go the "normal" way: Deny all traffic and allow the ports of the wanted traffic, e.g. http/https, spop3, simap, etc.


That's where pf is made for. :)


When I said "open" access, I meant for people / users that you have no prior relationship. Perhaps I should have said "free restricted access". I do not want to mandate any form of active proxy or authentication. Passive proxying (squid etc.) may well be useable.

If your machine performs well enough, you should use squid. There are several malware-programs that use port 80 traffic.



-volker