On Tue, Jan 30, 2007 at 09:47:26AM -0800, Kenneth Porter wrote: > >Actually, I think blocking port 25 by default is an excellent idea > >providing you unblock it if people ask for that. Since the vast > >majority of computer users never bother to change defaults, blocking port > >25 by default will remove a huge number of potential botnet spammers. > > One might even block all inbound and outbound ports below 1024 except the > obvious consumer ones like web and POP3 and provide a simple web interface
That would also be next to useless and generate a lot of complaints from your users. You see, after port 25 the one port that users can cause the most mayhem with on outbound connections to the "internet at large" is port 80. And you sure don't want to block that one. The rest are only up for relatively "minor" shenanigans like password guessing or doing DDoSes. Incoming, though, is a whole 'nuther story, most consumers won't notice if you block incoming ports below 1024 (for tcp syn/ack connection establishing, don't block all traffic there, eg nameserver traffic), and that might be somewhat useful to limit the number of compromised home boxes. If you want to make this user-adjustable, though, the ISP has got to have the proper hardware to do that kind of filtering with per- tunnel specific properties, and not all hardware is up to that. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
