[Lilux-help] port 25 blocking by ISPs

Eric Dondelinger aim at vis.ethz.ch
Fri Jul 2 15:51:22 CEST 2004 

Hi,

On Fri, 2 Jul 2004, Georges Toth wrote:

> > no need to do a TOFU, you know?
>
> which means?

"Text Oben Fullquote Unten" - bad form.
I know, we already had the discussions about proper quoting
a couple of weeks ago ;-)

> > Guess what, @work we have a few dialup lines, normal users of
> > these have only a very few "standard" ports open towards the
> > internal network.
>
> it's a different story whether we talk about work or isp.

Indeed. It's still something that IMHO would accomodate most
normal users. I know perfectly well that the people participating
in this discussion do not belong into that category.

> > Your normal internet-surfing 0815 guy will not need much more
> > than DNS, FTP, HTTP, and SMTP via the ISP mailserver - maybe
> > some high ports for stuff like chat, p2p, streaming media.
> > That's exactly the kind of use I'm talking about.
>
> right. but because of those joe users, others should have everything blocked
> as well?
> wow kewl...

As a default setting, that wouldn't be so bad.

> > People that actually use other stuff - say, SSH - are rather
> > rare.
>
> think so?

Yes. One of these days I'll go sniffing some traffic on the
backbone here - I'll see about producing stats about the
protocols used. Even though it's a somewhat special environment,
it should be close to the typical use.

> > Those relatively clued users could for instance be
> > accomodated by a filter adaptable through some webinterface.
>
> i don't think so.
> i rather think that IF they start blocking everything, they will do so and
> nothing else.

That's your assumption. I explicitly proposed that exception
mechanism.

> so no webinterface, and no exceptions.
> it would be a great idea if they would block everything and then give you
> access to a webinterface and let you do what you want (open everything, some,
> none). but i doubt something like that would happen....

Well, it's certainly something I could live with - essentially,
it would be a user-configurable firewall service, hopefully with
sanity checks included (too easy to get things very wrong).

> > I know this is problematic for an ISP. For companies, this
> > is standard policy.
>
> it's normal for companies... i tottaly agree. but that's different from an
> isp.

Indeed. Still, if it makes sense for a company, it's worth really
thinking about whether it wouldn't at least partially also make
sense for an ISP.

> > > i mean, you use a service and you are supposed to know their terms and
> > > policy. and you are supposed to know what possible danger you are
> > > exposing yourself if you get connected.
> > > now you should manage yourself to protect yourself or use software
> > > supplied by your provider for that purpose.
> >
> > That's the current status, indeed. Fact is, it doesn't work out
> > very well. "firewall logs"!
>
> so what?
> it's not that hard to install that stupid little free firewall which does a
> pretty godd job.
> there are many free firewalls out there.
> sygate, zonealarm, to only count 2 of the best (i talk about windoze...).

Hmm... check out http://www.linkblock.de - especially the
links regarding so-called "personal firewalls".
While Felix von Leitner's way of putting things may be a bit
crude, there's certainly truth in it.

In short: they aren't worth much, many worms/viruses will get
around them and disable them.

> > > disabling port 25 is a bad thing.
> >
> > It's not "disabled". With the discussed blocking of outbound
> > SMTP traffic except for the ISP mailserver, email still works.
>
> so IT IS BLOCKED!
> i don't want to access my isp mail. i want to access other servers on the
> inet.
> so that way, 25 _WOULD BE_ blocked for me.
> or am i wrong?

You can send mail to other mailservers - through your ISP's
mailserver. So no, you're not blocked.

> > For the larger organizations I know of (granted, that's more
> > of a company setting, not ISP), everyone denies outbound SMTP
> > traffic except from the company mailserver.
>
> company != isp

True. Question is still, wouldn't the same sort of setup make
sense.

> > > you know, there are many ports right?
> >
> > Sure. But those pesky mailservers usually listen on port 25 only.
>
> right.
> imagine setting up a spam relay which listens on port 3132.
> what you do now with blocking 25?
> oops.

No oops. Even if the zombies listen on other ports (hint: they
do!), they still need to send to port 25 - as long as they try
sending their ware directly, no luck.

Greets Eric

More information about the Lilux-help mailing list