What bothers me about this is customers that want to transfer files between
themselves is blocked. Sure it can be added, but I want to point this out,
as it is best to discourage the use of mail for the transport of large
files. Our system has had many Mb of business client's .ppt files breaking
some pop clients.
Also telnet is blocked, IMHO not a much a problem as http service and makes
the filter so communistic, thou-shalt-not, etc.
Best to have rules or metered service to prevent abuse and yet offer a more
"true" connection to the net or at least have exceptions for those that
ask, but then you have more filters
Hmmm... anyone every "strobe" their dial-up IPs on port 80? Or any
commonly used port for that matter?
On a related issue we did have a customer apply for a Verisign CERT and
really made me alert to potential abuse.
One thing that should also be considered is to allow SMTP connection to
only local server, which like spoof filters, mean that users cannot mass
mail from their dial-in accounts directly and bypass syslog.
This I plan to do, after notifying them...
My asbestos suit is on the way. ;-)
It was bad enough when we blocked relay.
-------------------------------------------
Jeff Mountin - System/Network Administrator
jeff@mixcom.net
MIX Communications
Serving the Internet since 1990