Nicolas Boullis wrote:
> Hi Per,
>
> Per Jessen wrote:
>>
>> Wouldn't it be enough for each postgrey instance to
know the
>> addresses
>> of its peers, then only accept sync-requests from
these? (that's
>> what I do).
>
> It certainly helps, and I'm planning to do it at the
netfilter level
> rather than within my modified postgrey.
Ah, ok. I prefer to leave that check to the application.
> But I don't think it is sufficient to rely on that
alone, since it is
> quite easy to fake source IPs, especially for UDP
communications.
Good point Nicolas.
>> If you're concerned about very strict firewalling,
just use port 80
>> and http - there's usually a big hole in the
firewall for that :-(
>
> It generally is open for TCP (except for those who
require their users
> to use a proxy), but I'm not sure it generally is for
UDP...
I suppose not ... mine certainly aren't.
/Per Jessen, Zürich
--
http://www.spamchek.com/
- your spam is our business.
--
Unsubscribe mailto:postgrey-request list.ee.ethz.ch?subject=unsubscribe
Archive http://lists.ee.ethz
.ch/postgrey
WebAdmin http://lists.ee.ethz
.ch/lsg2.cgi
|
