[CentOS] courier mail for Centos

Fri Dec 7 11:47:06 UTC 2012
Giles Coochey <giles at coochey.net>

On 06/12/2012 16:24, Les Mikesell wrote:
> On Thu, Dec 6, 2012 at 10:13 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>>> Filtering Inbound Firewalls are generally useless if the user of the
>>>> system doesn't know what they're doing. A lot of intrusions these days
>>>> are the result of inbound policy permitted traffic in causing someone to
>>>> initiate an outbound connection that gets them hacked.
>>> And you expect someone to be better at stopping this with iptables and
>>> a 'howto' than dedicated hardware and vendor training/support?
>> And outbound rule writing is very hard, as you have to sniff out traffic
>> many times to figure out why an app is failing and then write a rule to
>> allow that app out.
> More like impossible in the general case, although you can always get
> any specific case to work if you spend enough time at it.   But to
> catch some of the most likely known problems you need packet
> inspection to at least the level of URL filtering.
It's very difficult to build a technical firewall policy without a 
corporate Internet usage policy that backs it up. (Use of proxy for 
outbound traffic etc...), but with the right corporate policy in place 
it is possible to accomplish.
There will always be some hosts that will have to be given full outbound 
access, not necessarily due to technical constraints, but due to 
procedural ones (devs won't or can't give the information on how the 
device needs to communicate).
Full Outbound Access should be the exception rather than the rule - just 
think how clean the Internet would be if that was followed across the globe.


Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
giles at coochey.net