> The 'T' train doesn't include CBAC, unless something really drastic has
> changed. You need to actually purchase the IOS/Firewall feature set, or
one
> of the encryption images that supports FW. You can get plain ol' IP in the
> 'T' train for nothing - it would be great if it did have CBAC. *sigh*
I stand corrected; I mistakenly assumed that it was part of the 12.0.7(T)
IOS update I flashed...
> I would imagine that you'll get this answer: Don't inspect smtp. Just
> inspect TCP and allow port 25 traffic in your access-lists. What do you
> lose? Control-channel inspection for incoming email? Feh. Email problems
are
> all virii and worms these days and CBAC won't do a thing about _them_. My
> personal opinion on that, BTW, is that anything that aborts when it can't
> use ESMTP is _really_ busted. Are you _sure_ it's not a DNS matching or
> ident bug in disguise?
I don't think so; everything worked fine until I enabled CBAC-SMTP after
which the router started rejecting connections from my upstream MX hosts as
well as my personal ISP (along with many others), all of whom run ESMTP
sendmail under Solaris/SunOS.
To quote a reply: "There is an enhancement bug opened to ask for the CBAC to
handle esmtp."
(FWIW: I *do* run separate inbound and outbound instances of sendmail)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
