We restrict all connections to the internet via our firewall. I think that
unless you control outgoing connections you do create a significant security
As an example one of the ways in which the recent sendmail hole was exploited
was by planting a program on your mailhost that would attempt to open
a connection to a remote, unfriendly, host. This would allow an attacker
onto your system from outside and the connection would appear to have
been initiated *from the inside*. This would have beaten many 'packet
filtering' based firewall schemes.
There is always a tradeoff to be made between ease of use and security, a
great deal depends on what you are trying to achieve.
Harry Protoolis "Sons of the South, make a choice between ...
uk The land that belongs to the lord and the Queen
And the land that belongs to you." - Henry Lawson
(with apologies for the sexist language)