[Mimedefang] OT: Blocking Port 25

[Jan-Pieter Cornet]

On Tue, Jan 30, 2007 at 09:47:26AM -0800, Kenneth Porter wrote:
> >Actually, I think blocking port 25 by default is an excellent idea
> >providing you unblock it if people ask for that.  Since the vast
> >majority of computer users never bother to change defaults, blocking port
> >25 by default will remove a huge number of potential botnet spammers.
> 
> One might even block all inbound and outbound ports below 1024 except the 
> obvious consumer ones like web and POP3 and provide a simple web interface 

That would also be next to useless and generate a lot of complaints
from your users. You see, after port 25 the one port that users can
cause the most mayhem with on outbound connections to the "internet
at large" is port 80. And you sure don't want to block that one.
The rest are only up for relatively "minor" shenanigans like password
guessing or doing DDoSes.

Incoming, though, is a whole 'nuther story, most consumers won't
notice if you block incoming ports below 1024 (for tcp syn/ack
connection establishing, don't block all traffic there, eg
nameserver traffic), and that might be somewhat useful to limit
the number of compromised home boxes.

If you want to make this user-adjustable, though, the ISP has got
to have the proper hardware to do that kind of filtering with per-
tunnel specific properties, and not all hardware is up to that.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!