-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Dondelinger wrote: | Hi, | | On Wed, 21 Jul 2004, Patrick Kaell wrote: | | |>Slashdot has an article about 'Reverse Firewalls As An Anti-Spam Tool': |> |>http://slashdot.org/articles/04/07/21/028221.shtml?tid=111&tid=137&tid=95 |> |>It is the first time that I hear the term 'Reverse Firewall'. But it |>remembers me of past discussions ;-) | | | Indeed, I suppose the same thing as discussed is meant - but | the term is IMHO bullsh*t, a packet filter is usually able to | filter in any direction. I guess someone got inspired by the | term "reverse proxy", which does have sense. | No the idea is much better. With this reverse-firewall it will stop dub end-users from sending attacks to other sites. The firewall could disallow source IP spoofing. It could filter out allthose 135-139 ports that go out. You would protecccccc the Internet from a lot of attaks with this. Hackers would anyway soon find a way around the box so it would not help for those. | Oh well... | | Btw, some providers force a redirect of SMTP traffic to their | own mailserver. Have a look at: | | http://www.init7.ch/anti-spam/index.php | | No idea how they handle smtp-auth to other servers... I don't like the idea. Only introduces problem for stand-alone mail servers as ours. | | Eric | | _______________________________________________ | Lilux-info mailing list | Lilux-info(a)lilux.lu | http://lilux.lu/mailman/listinfo/lilux-info - -- Thierry Coutelier Président LiLux asbl 7, Rue Jacques Sturm L-2556 Luxembourg Office:+352 710725 608 Home:+352 406776 http://www.linux.lu/

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Dondelinger wrote: | Hi Thierry, | | On Thu, 22 Jul 2004, Thierry Coutelier wrote: | | |>No the idea is much better. With this reverse-firewall it will stop dub |>end-users |>from sending attacks to other sites. The firewall could disallow source |>IP spoofing. |>It could filter out allthose 135-139 ports that go out. |>You would protecccccc the Internet from a lot of attaks with this. |>Hackers would anyway soon find a way around the box so it would not |>help for those. | | | How can a normal firewall not be configured to do exactly the same? | Maybe most people configure their firewall to regulate incoming | traffic only, but I have a couple not-so-small thingies here that | *do* filter outbound traffic too. | Also, filtering 135-139 should be standard (in more serious setups | anyway) - even many ISPs actually do this. Thanks MS for another of | those huge security holes... | The idea is to have firewall-rules that protect the Internet and not the end-user. And the firewall is controlled by an outside entity and not from the leaf. Maybe the term reverse-firewall is not well chosen but the idea is not bad. | |>| Btw, some providers force a redirect of SMTP traffic to their |>| own mailserver. Have a look at: |>| |>| http://www.init7.ch/anti-spam/index.php |>| |>| No idea how they handle smtp-auth to other servers... |> |>I don't like the idea. Only introduces problem for stand-alone mail |>servers as ours. | | | AFAIK, the LiLux mailserver has a static IP, and it doesn't | exactly fit into the dial-up category. I guess technically, | it could quite simply use mailsvr.pt.lu as smarthost also. The problem is not when sendar is sending traffic out but when you need to configure special rules for incoming traffic or on the SPF records. You may not send mail using @linux.lu from other mail servers except you are added in the SPF record on our DNS. At least to those site that check the SPF records. So best is to configure sendar as your SMTP server and use auth. | | Greets Eric - -- Thierry Coutelier Président LiLux asbl 7, Rue Jacques Sturm L-2556 Luxembourg Office:+352 710725 608 Home:+352 406776 http://www.linux.lu/

Hi again, Ok, found a bit of spare time (patching Solaris implies quite some breaks). SPF does seem to have a few issues, but looks promising. I see you've included some P&T networks in the SPF settings for linux.lu, so my sending via mailsvr.pt.lu (when I don't ssh into sendar directly) is safe ;-) I guess I'll look into implementing SPF along with some other antispam measures over here, if I get the green light for them. Is there such as thing as a list of luxembourgish ISPs and their IP ranges, mailservers etc.? Not that it would be difficult to find out, only time-intensive... Greets Eric

Hi again, On Thu, 22 Jul 2004, Thierry Coutelier wrote: Interestingly, I just hit upon a paragraph in the SPF FAQ [1]: [1] http://spf.pobox.com/faq.html Q: What about the cracked, open-proxy DSL machines that are spam sources today? Spammers are increasingly using compromised machines on fast connections to send spam. A: Broadband providers will have to either force port 25 to go through their servers where they can keep an eye on traffic, or suffer the reputation costs of having their "forged" domain name in the envelope sender line. I know people who block Hotmail, Yahoo, and AOL simply because those are the most commonly forged domains; that hurts their legitimate users and ultimately it hurts them. So it looks like the SPF guys do approve of such measures... I just don't see (yet) how those broadband clients could then be able to do SASL AUTH to other mailservers. Greets Eric

I did this already at work. The smart relay host needed to be changed, but I had no access to the Novell Groupwise server. So I just introduced a NAT iptables rule to our Linux NAT/Firewall to redirect all port 25 connections to a specific relay host. Almost the same idea as transparent web proxys (with squid for example). asmtp might be a problem. Overall this might be a better solution as just blocking port 25 if you do not want to upset many customers. Many of us would not have noticed it if Coditel did it this way. A problem might be zombie PCs. Those would continue to spam unhindered :-( Greetings, Patrick Kaell