[isf-wifidog] ppolicy questions/firewalling etc.

Mina Naguib mina at naguib.ca
Lun 13 Nov 12:05:45 EST 2006 

My recommendation is what you're suggesting.  It's not worth fighting  
with RBL admins to get your block unlisted after it makes its way  
there due to one spammer.  So block SMTP and ask your users to use  
webmail.

Alternatively if you want to be extra nice, allow SMTP (possibly with  
transparent redirection) to your own SMTP server which would enforce  
throttling to a very low number of messages per minute.

Aside from SMTP, and depending on your plan with your ISP, you may  
want to limit or block bandwidth-hogging applications.  This can be  
done superficially with port rules or truly with layer-7 filtering on  
many recent routers/firmwares.

On 13-Nov-06, at 1:46 AM, listserv.traffic at sloop.net wrote:

> Ok, I've got everything running mostly the way I need. (I have a few
> things left to tinker with, but not much...)
>
> However, I'm now wondering about Firewall rules and what's a
> real-world view and experience of the thing.
>
> For example: SMTP - should I allow it, or block all. Since the Public
> AP is going to be on the main netblock (but different IP) for the
> company providing it, should one block all outbound port 25 traffic?
>
> What's everyone's experience with this.
>
> (And note, we won't have any identifying information about each user.
> They will have to come in and get the one-size-fits-all user name and
> password, but other than that we have no way of handling rogue users.
> We'll rotate the user/pass credentials on, say, a monthly basis.)
>
> If the connections shouldn't be wide open, what kinds of things should
> one block?
>
> Obviously, a SMTP block isn't going to stop a pro, but then that guy
> isn't likely to need my pub-ap to do any damage anyhow. But I don't
> want the company's main IP block to go down either. because it's
> gotten black listed, black-holed or something.
>
> My gut feeling is block SMTP/25 since an email black listing for my
> netblock is a bad thing. Most other kinds of abuse one can explain to
> an ISP/upstream provider. Getting on a black list is often a hard
> thing to reverse.
>
> Anyway - thoughts welcome! Please!
>
> -Greg
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

Plus d'informations sur la liste de diffusion WiFiDog