[84502] in North American Network Operators' Group
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
daemon@ATHENA.MIT.EDU (Joseph S D Yao)
Tue Sep 13 23:40:27 2005
Date: Tue, 13 Sep 2005 23:39:55 -0400
From: Joseph S D Yao <jsdy@center.osis.gov>
To: "william(at)elan.net" <william@elan.net>
Cc: Roy Badami <roy@gnomon.org.uk>, nanog@nanog.org
Mail-Followup-To: "william(at)elan.net" <william@elan.net>,
Roy Badami <roy@gnomon.org.uk>, nanog@nanog.org
In-Reply-To: <Pine.LNX.4.62.0509131622030.16184@sokol.elan.net>
Errors-To: owner-nanog@merit.edu
On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote:
> On Wed, 14 Sep 2005, Roy Badami wrote:
>
> > william(at)elan> Could you elaborate on how firewall will
> > william(at)elan> determine if the connection is from mail server
> > william(at)elan> or from telnet on port 25?
> >
> >Perhaps because most telnet clients will attempt telnet option
> >negotiation? If so one could avoid this by using a client such as
> >netcat...
>
> Telnet option negotiation is at Layer 7 after TCP connection has been
> established. Firewalls typically don't operate at this level (TCP session
> is Layer 4 if I remember right) and would refuse or reject (difference
> type of ICMP response) based solely on attempt to connect to certain
> ip or certain TCP/UDP port.
You're talking about the packet filters that marketeers sell as
"firewalls". The best firewalls operate at the application layer. And,
yes, that's an OPINION, no need to rave.
--
Joe Yao
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
