Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: checkpoint port-redirection question

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sun, 1 Jun 2003 21:54:24 -0400 (EDT)
On Sat, 31 May 2003, Douglas J Hunley wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

R. DuFresne shocked and awed us all with:

sounds like a sendmail rather then a fw-1 issue, editing the sendmail.cf
on the servers in question and designating the smart-relay-host should do
the trick here.


that would work. except that certain parts of the organization have "illicit" 
sendmail boxes that "cant" be  configured. also, if I could do this at the 
firewall, it would automatically catch a new sendmail box that was brought 
online in the future that somebody "forgot" to configure the smart relay on



I may be reading this incorrectly, but, it reads to me like this:

There are either "illicit" or misconfigged sendmails on your internal
network, not complying with a policy that says they must push all outbound
traffic through a choke point noted as the mail.gateway.

There are two ways to work with this situation, just not allow the
misconfiged systems to function until they are properly setup to comply
with the policy, or be a 'nice guy' and provide a work around to enable
those not complying with policy for one reason or another to not learn how
to do their part of the job properly.  Both ways might well server to log
the "illicit" sendmails, one by loggging those rejected for not sending to
the choke point, and the other perhaps via logging of those provided the
enabling redirect.  I can see where in a low techie environmanet one might
do the enabling thing, until others get up to speed.  But, somehow it
sticks in the craw to go that route in other environments when you are
supposed to be dealing with `trained` professionals that should know what
their requierments and responsibilities are.  Additionally, the redirect
might well also not push those not doing into doing as quickly as a broked
sendmail might.  Besides then one has the confidence ot knowing that
others have a modicum of understanding what the corporate policy actually
is.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: