-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, my previous statement about originating on port 25 was
completely wrong, I apologize.
I did, however, had one case where the external mail relay was
originating packets from port 25. I guess someone just took a
shortcut in coding by using 25 as the origination port. The rule was
set up to allow mail to the internal mail server on port 25 only if
it came from port 25. (Hey, why not assume everyone's relay behaves
that way.... whack)
For these setup's, though, I suggest to allow connections to port 25
of the internal mail from any port of the relay address(s). It is
safer to filter by the IP address.
I'm gonna go stand in a corner now...
Frank
> > SMTP email originates on port 25. [snip]
> > To thwart of the curious,
> > one can just construct his firewall rule to only allow traffic to
> > port 25 if it originates from port 25. Seems to hide it from most
> > port scans as well.
>
> 2. I strongly recommend against adding filters like this. Otherwise
> you'll get the same problem that apple.com had, where no one behind
> a NATing FW-1 could access apple.com, because FW-1 was changing the
> originating port from 53 to something in the range 512--1023. Never
> trust the originator port to be any specific value; there are just
> too many NATing devices with different behaviors out there.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOaVXMURKym0LjhFcEQKLqQCg+4pO7PmmXjDMRzAQGreYTMPTPioAoJqh
NSjvh3mlCngcdApm9m3KA/LC
=ubVq
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
