[isf-wifidog] ppolicy questions/firewalling etc.

[listserv.traffic at sloop.net]

Ok, I've got everything running mostly the way I need. (I have a few
things left to tinker with, but not much...)

However, I'm now wondering about Firewall rules and what's a
real-world view and experience of the thing.

For example: SMTP - should I allow it, or block all. Since the Public
AP is going to be on the main netblock (but different IP) for the
company providing it, should one block all outbound port 25 traffic?

What's everyone's experience with this.

(And note, we won't have any identifying information about each user.
They will have to come in and get the one-size-fits-all user name and
password, but other than that we have no way of handling rogue users.
We'll rotate the user/pass credentials on, say, a monthly basis.)

If the connections shouldn't be wide open, what kinds of things should
one block?

Obviously, a SMTP block isn't going to stop a pro, but then that guy
isn't likely to need my pub-ap to do any damage anyhow. But I don't
want the company's main IP block to go down either. because it's
gotten black listed, black-holed or something.

My gut feeling is block SMTP/25 since an email black listing for my
netblock is a bad thing. Most other kinds of abuse one can explain to
an ISP/upstream provider. Getting on a black list is often a hard
thing to reverse.

Anyway - thoughts welcome! Please!

-Greg