2 Jul
2004
2 Jul
'04
1:51 p.m.
Hi,
On Fri, 2 Jul 2004, Georges Toth wrote:
"Text Oben Fullquote Unten" - bad form.
I know, we already had the discussions about proper quoting
a couple of weeks ago ;-)
Indeed. It's still something that IMHO would accomodate most
normal users. I know perfectly well that the people participating
in this discussion do not belong into that category.
As a default setting, that wouldn't be so bad.
Yes. One of these days I'll go sniffing some traffic on the
backbone here - I'll see about producing stats about the
protocols used. Even though it's a somewhat special environment,
it should be close to the typical use.
That's your assumption. I explicitly proposed that exception
mechanism.
Indeed. Still, if it makes sense for a company, it's worth really
thinking about whether it wouldn't at least partially also make
sense for an ISP.
so what?
it's not that hard to install that stupid little free firewall which does a
pretty godd job.
there are many free firewalls out there.
sygate, zonealarm, to only count 2 of the best (i talk about windoze...).
Hmm... check out http://www.linkblock.de - especially the
links regarding so-called "personal firewalls".
While Felix von Leitner's way of putting things may be a bit
crude, there's certainly truth in it.
In short: they aren't worth much, many worms/viruses will get
around them and disable them.
so IT IS BLOCKED!
i don't want to access my isp mail. i want to access other servers on the
inet.
so that way, 25 _WOULD BE_ blocked for me.
or am i wrong?
You can send mail to other mailservers - through your ISP's
mailserver. So no, you're not blocked.
True. Question is still, wouldn't the same sort of setup make
sense.
right.
imagine setting up a spam relay which listens on port 3132.
what you do now with blocking 25?
oops.
No oops. Even if the zombies listen on other ports (hint: they
do!), they still need to send to port 25 - as long as they try
sending their ware directly, no luck.
Greets Eric
no need to do
a TOFU, you know?
which means? Guess what,
@work we have a few dialup lines, normal users of
these have only a very few "standard" ports open towards the
internal network.
it's a different story whether we talk about work or isp. Your normal
internet-surfing 0815 guy will not need much more
than DNS, FTP, HTTP, and SMTP via the ISP mailserver - maybe
some high ports for stuff like chat, p2p, streaming media.
That's exactly the kind of use I'm talking about.
right. but because of those joe users, others should have everything blocked
as well?
wow kewl... People that
actually use other stuff - say, SSH - are rather
rare.
think so? Those
relatively clued users could for instance be
accomodated by a filter adaptable through some webinterface.
i don't think so.
i rather think that IF they start blocking everything, they will do so and
nothing else. so no webinterface, and no exceptions.
it would be a great idea if they would block everything and then give you
access to a webinterface and let you do what you want (open everything, some,
none). but i doubt something like that would happen....
Well, it's certainly something I could live with - essentially,
it would be a user-configurable firewall service, hopefully with
sanity checks included (too easy to get things very wrong).
I know this is
problematic for an ISP. For companies, this
is standard policy.
it's normal for companies... i tottaly agree. but that's different from an
isp. i mean, you use a service and you are supposed to know
their terms and
policy. and you are supposed to know what possible danger you are
exposing yourself if you get connected.
now you should manage yourself to protect yourself or use software
supplied by your provider for that purpose.
That's the current status, indeed. Fact is, it doesn't work out
very well. "firewall logs"! disabling port 25 is a bad thing.
It's not "disabled". With the discussed blocking of outbound
SMTP traffic except for the ISP mailserver, email still works. For the larger
organizations I know of (granted, that's more
of a company setting, not ISP), everyone denies outbound SMTP
traffic except from the company mailserver.
company != isp you know, there are many ports right?
Sure. But those pesky mailservers usually listen on port 25 only.