On 31/08/2011 17:41, Tom Eastep wrote: > On Wed, 2011-08-31 at 16:05 +0100, Ed W wrote: >> I think it's normal where we want to allow "mail" to allow all mail >> protocols. > I have mixed feelings about omnibus macros like this; I think they > encourage naive users to open many more ports than are really needed. >
There is an argument that for some naive users they can also *reduce* the number of ports if big "recipe" macros are available, because if it's not easy to figure out, then those naive users tend to open great swathes of ports instead..? I would argue that for this very specific situation (mail), there are few modern mail servers that have security issues (even sendmail is decent these days..), and I can think of really very situations where you would want to open fewer than all of these ports, if you wanted to allow mail either in or out. Can anyone think of a real situation where it's worse than just "neutral" that you open an extra "IMAPS" port where you only intended to open IMAP? Or where it's useful to limit outbound clients to some subset of pop/imap/smtp? I guess I can think of a few corner cases, but none where it wouldn't be fairly obvious that the "Mail" macro was the wrong choice? Actually, tell you where I have seen this fail - I'm seen some wifi hotspots that appear to want to *block* email, but they only remembered to block half the ports... "Mail(REJECT)" as a rule is likely to be a win for the naive user - I bet otherwise few would remember about Submission/IMAPS/POPS... Cheers Ed W ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
