I think the ide of blocking ports using forwarding to non existing ip's is very good. I just tried it now and it worked quite well for the server ports. (Ports are stealthed and there is no answer back.)
On the other hand I believe this method will not work for blocking the MS-Messenger ports.
The reason for this is that this trafic is set up fro the inside, so the nat firewall (the sme server) will handle this traffic as return trafic to an internal client process (The MS Messenger program.)
The sme server does not have a mechanism for blocking outgoing trafic (even though the underlaying Linux kernel supply such a trafic controll without a problem.)
I believe that it will not be a practical solution to build in such a outbound trafic controll in the sme server either (Speaking just like a sme user.)
The reason is that this will not fit with the principle of easy administration of the sme server. Outbound trafic controll will normally require a lot of configuration and maintenace to specify leagal and unleagal trafic, unless using so strict rules so that allmost only web browsing is leagal.
It would be difficult to find that average ruleset that will fit for the average user when it comes to filtering of outgoing trafic, so most firewall has full open as default setting for outgoing trafic.
A personal firewall on the clients might be a solution. This can prevent certain processes like MS-Messenger to access internet. Some of these personal firewalls can be downloaded for free.
By the way it could actually be possible to apply some simple controll like a "safe mode" and "normal mode" choice at the sme gateway, and then for example let the only leagal outbound trafic be web browsing via web proxy and mail services running in "safe mode". This should not be to difficult to make.
Just an idea. I would not like to use the sme gateway or any other gateway in "safe mode". (But ther might be other users and needs.)
Arne.
5 Replies
1268 Views