[Lilux-help] port 25 blocking by ISPs

Georges Toth georges at norm.lu
Fri Jul 2 15:20:20 CEST 2004 

> no need to do a TOFU, you know?

which means?


> Guess what, @work we have a few dialup lines, normal users of
> these have only a very few "standard" ports open towards the
> internal network. 

it's a different story whether we talk about work or isp.


> Your normal internet-surfing 0815 guy will not need much more
> than DNS, FTP, HTTP, and SMTP via the ISP mailserver - maybe
> some high ports for stuff like chat, p2p, streaming media.
> That's exactly the kind of use I'm talking about.

right. but because of those joe users, others should have everything blocked 
as well?
wow kewl...


> People that actually use other stuff - say, SSH - are rather
> rare. 

think so?


> Those relatively clued users could for instance be
> accomodated by a filter adaptable through some webinterface.

i don't think so.
i rather think that IF they start blocking everything, they will do so and 
nothing else.
so no webinterface, and no exceptions.
it would be a great idea if they would block everything and then give you 
access to a webinterface and let you do what you want (open everything, some, 
none). but i doubt something like that would happen....


> I know this is problematic for an ISP. For companies, this
> is standard policy.

it's normal for companies... i tottaly agree. but that's different from an 
isp.


> > i mean, you use a service and you are supposed to know their terms and
> > policy. and you are supposed to know what possible danger you are
> > exposing yourself if you get connected.
> > now you should manage yourself to protect yourself or use software
> > supplied by your provider for that purpose.
>
> That's the current status, indeed. Fact is, it doesn't work out
> very well. "firewall logs"!

so what?
it's not that hard to install that stupid little free firewall which does a 
pretty godd job.
there are many free firewalls out there.
sygate, zonealarm, to only count 2 of the best (i talk about windoze...).


> > disabling port 25 is a bad thing.
>
> It's not "disabled". With the discussed blocking of outbound
> SMTP traffic except for the ISP mailserver, email still works.

so IT IS BLOCKED!
i don't want to access my isp mail. i want to access other servers on the 
inet.
so that way, 25 _WOULD BE_ blocked for me.
or am i wrong?


> For the larger organizations I know of (granted, that's more
> of a company setting, not ISP), everyone denies outbound SMTP
> traffic except from the company mailserver.

company != isp


> > you know, there are many ports right?
>
> Sure. But those pesky mailservers usually listen on port 25 only.

right.
imagine setting up a spam relay which listens on port 3132.
what you do now with blocking 25?
oops.


-- 
regards,
Georges Toth

More information about the Lilux-help mailing list