nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to secure the Internet in three easy steps

From: "Matthew S. Hallacy" <poptix () techmonkeys org>
Date: Sun, 27 Oct 2002 19:42:10 -0600

On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:


Sean,

At Home's policy was that servers were administratively forbidden. It
ran proactive port scans to detect them (which of course were subject to
firewall ACLs) and actioned them under a complex and changing rule set.
It frequently left enforcement to the local partner depending on
contractual arrangements. It did not block ports. Non-transparent
proxing was used for http - you could opt out if you knew how. 

While many DSL providers have taken up filtering port 25, the cable
industry practice is mostly to leave ports alone. I know of one large


Untrue, AT&T filters the following *on* the CPE:

Ports  / Direction / Protocol

137-139 -> any Both UDP
any -> 137-139 Both UDP
137-139 -> any Both TCP
any -> 137-139 Both TCP
any -> 1080 Inbound TCP
any -> 1080 Inbound UDP
68 -> 67    Inbound UDP
67 -> 68    Inbound UDP
any -> 5000 Inbound TCP
any -> 1243 Inbound UDP

And they block port 80 inbound TCP further out in their network. Overall,
cable providers more heavily than cable providers.

I'd say that AT&T represents a fair amount of the people served via cable
internet.



Regards,

Eric Carroll


-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203
Previous By Date Next
Previous By Thread Next

Current thread: