On 19/01/05 07:31 -0500, Satya wrote:
On Tue, Jan 18, 2005 at 07:48:44PM -0800, sel wrote:
I am planning a firewall for an ISP setup,where I can filter the well known viruses and protect my N/W from intrusion and can be easily monitored and edited. I am planning for iptables as it is much more
Shouldn't block inbound anything. Let your users block.
Seriously, about the only things justifably blockable by an ISP today are: NetBIOS (135-139 UDP/TCP) CIFS (445/TCP) Outbound port 25 Inbound port 25 for dynamic IP addresses.
Note that port 25 blocking MUST be accompanied by providing a smarthost for users, which does not enforce domain name restrictions (which, IMNSHO are stupid). SMTP AUTH and ratelimiting are useful things to do on the outbound server. This MUST not be the same as the inbound server.
People who want to use other SMTP servers should be using 587/TCP.
Then again, there are some common-sense can't-happen rules that depend on your network setup. For example, private IPs can't be in-bound from the outside, right? So you can drop those packets. You might drop NetBIOS packets.
You can also rate-limit outgoing SMTP, though I'm not sure how. This would be a good idea. Limit it to 1 SMTP connection per 2 seconds or so.
Graylist your inbound SMTP connections.
Ewwwwwwwwwwwww. Does not really scale for higher volumes of mail, but is reasonably useful on a low volume server.
You *are* running a smarthost for your users, right?
viruses and secondly how do I block the common viruses and is it possible to block spam and mail related viruses through iptables(I already got scanners installed on the mail servers) or suggest me with some better alternative or a package for this kind of setup...
I'd really dislike my ISP doing that. IMO that's the user's look-out.
Agreed
Devdas Bhagat