>What if you want to do something between "everyone can access it" and "only local host can access it?". For example, I have to run a recursive DNS resolver on a port other than 53 because my ISP intercepts DNS traffic. I've limited access to only my ISPs IPs at the software firewall, so as not to unwittingly take part in a DNS amplification attack.
Hmm. In that specific instance it makes sense, because spoofing the IP is the whole point of the attack. I'd argue that's basically unique to DNS though, in which case the advantage of managing it in the same place as your other services goes away.
>Or what if I want to run a mail relay but only allow machines I control to access it.
Then you use a real authentication mechanism (i.e. SMTP AUTH). Otherwise it would seem perfectly possible for a spammer to spoof one of your IPs and use your relay.
Hmm. In that specific instance it makes sense, because spoofing the IP is the whole point of the attack. I'd argue that's basically unique to DNS though, in which case the advantage of managing it in the same place as your other services goes away.
>Or what if I want to run a mail relay but only allow machines I control to access it.
Then you use a real authentication mechanism (i.e. SMTP AUTH). Otherwise it would seem perfectly possible for a spammer to spoof one of your IPs and use your relay.