Mika Borner wrote:
Peter Tribble wrote:
That doesn't seem right. Fix the users so they do the right thing.
I know it isn't ... but for an ISP it's more complicated...
If it really is based on application, then you end up writing some
sort of proxy server
to intercept the traffic and parse it. Or if the errant users can be
identified by IP
address, then you could probably put together something with IP filter
to redirect
them to some other port.
We certainly have to see how many customers are abusing well-known
ports. Maybe we just have to "punish" them.
I've investigated the issue a bit more, and there are some companies
that build firewall proxies.
But I would certainly prefer not to allow such traffic to pass.
Let me guess, port 25 is being abused by bit torrenters?
It's not unknown for ISPs to block access to port 25 unless specifically
requested for it to be open, mitigating spam.
You might want to use ipfilter to redirect all outgoing connections (to
port 25)
to a local SMTP server... like the SMTP server that the cusomters use to
send
out email... it doesn't need to be a proxy... You might say that email
is, by design,
a collection of store and forward proxies... in other words, sendmail,
etc, are
proxy servers by design, no need to install special proxy software :)
And similarly for inbound connections, force all SMTP connections to a local
server and then do store-and-forward.
Or...
Require those that want port 25 provided on a "pass through" basis to
sign some
sort of statement stating that they will only run an SMTP server/service
on port 25
and that if they run something else there, well, you decide, but it
would then be a
breach of contract by the customer ;-)
... afterall, nearly all terms-of-use contracts allow for them to be
"updated" by
the vendor at any time :-)
Anything/everything that you could do with packet filters would be less
than perfect and easily possible for software to be updated to be not
detected.
Darren
_______________________________________________
sysadmin-discuss mailing list
sysadmin-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
