Jon - Thanks for the response. I have been pouring through reflexive ACL docs and CBAC docs and this is essentially what I came up with: they appear to be only useful in the following scenario: When I want to intiate a session from the inside going out, but I dont ever want that same thing to be intiated from the outside coming back in.

Seems to me that these (RACLS and CBAC) would have very little utility.

What am I missing?

I think in your case, Reflexive ACL is already enough.

CBAC is more advanced because it can inspect protocol traffic and open corresponding ports for application need separated session for bulk data transfer, say FTP, VOIP etc.

In your case, the requirement is just SMTP. So I trust RACL is enough.

Feel free comment

Jeffrey

"Seems to me that these (RACLS and CBAC) would have very little utility.

What am i missing?"

CBAC will also do stateful inspection unlike the RACLs.

But in answer to your main point i'm not sure you are missing anything. There really is very little difference between how CBAC handles incoming connections and how a pix/ASA would do it ie. if on an ASA you want to allow SMTP back in then you still have to add a rule to an acl allowing that traffic back in which is really no different to what we did with the CBAC acl.

The key thing is that just like a firewall if you don't allow it in specifically then only return connections for traffic initiated from inside is allowed back in.

Whether or not a RACL would be enough - well CBAC does do TCP stateful checking and a RACL doesn't.

Jon