On Mon, 10 Jan 2005, Florian Stoehr wrote:

> On Mon, 10 Jan 2005, Johnny Billquist wrote:
>
>> On Mon, 10 Jan 2005, Michael Smith wrote:
>> 
>>> On Mon, 10 Jan 2005 00:35:29 +0100 (CET)
>>> Florian Stoehr <netbsd@wolfnode.de> wrote:
>>> 
>>>> I want a "you won't even connect at SMTP" solution in that case
>>> 
>>> I don't think it is a good idea to do a DNS lookup while filtering 
>>> packets, and judging from the other responses it may not be doable anyway.
>>> 
>>> How about using your smtp daemon to build a list of IP addresses which you 
>>> don't want to accept connections from and using pf to filter subsequent 
>>> connections attempts?
>> 
>> Since noone have mentioned /etc/hosts.deny yet, I'll do it.
>> Simple, you can do it based on hostnames or ip-address ranges, and while I 
>> think you do get through the connect stage, the port is immediately 
>> disconnected again.
>> 
>> 	Johnny
>> 
>> Johnny Billquist                  || "I'm on a bus
>>                                  ||  on a psychedelic trip
>> email: bqt@update.uu.se           ||  Reading murder books
>> pdp is alive!                     ||  tryin' to stay hip" - B. Idol
>> 
>
> Hm -> this is a nice way, anyway it only works from inetd.

No, I believe it works for all applications, including sendmail/postfix.

> So I'll put a portforwarder protected by the hosts.deny into inetd and 
> forward "successful" connections to the real SMTP somewhere else then.
>
> Yes, I think this will finally solve it.
>
> Thanks for all replies.

 	Johnny

Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email: bqt@update.uu.se           ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol