![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: How to secure the Internet in three easy steps
From: "Joe" <joej () rocknyou com>
Date: Sun, 27 Oct 2002 21:14:33 -0500
I Second that. AT&T blocks ports (depending where you are) but won't come right out and say it. On a call to them over a year ago while testing DSL versus Cable in San Jose, it took almost an hour to get them to admit that they were blocking ports 137-139, and even then there was no formal acknowledgement of this blocking. If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as well. No standard as I see it, depends on the child company managing the cable service. Just my 2¢s tho -Joe ----- Original Message ----- From: "Joseph Barnhart" <flaboy () fdt net> To: "Matthew S. Hallacy" <poptix () techmonkeys org> Cc: <nanog () merit edu> Sent: Sunday, October 27, 2002 8:46 PM Subject: Re: How to secure the Internet in three easy steps
Not really On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject
to
firewall ACLs) and actioned them under a complex and changing rule
set.
It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one largeUntrue, AT&T filters the following *on* the CPE: Ports / Direction / Protocol 137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP And they block port 80 inbound TCP further out in their network.
Overall,
cable providers more heavily than cable providers. I'd say that AT&T represents a fair amount of the people served via
cable
internet.Regards, Eric Carroll-- Matthew S. Hallacy FUBAR, LART, BOFH
Certified
http://www.poptix.net GPG public key
0x01938203
------------------------- Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -------------------------
Current thread:
- Re: How to secure the Internet in three easy steps, (continued)
- Re: How to secure the Internet in three easy steps Paul Vixie (Oct 26)
- RE: How to secure the Internet in three easy steps Eric M. Carroll (Oct 27)
- Re: How to secure the Internet in three easy steps Matthew S. Hallacy (Oct 27)
- Re: How to secure the Internet in three easy steps Joseph Barnhart (Oct 27)
- Re: How to secure the Internet in three easy steps William Warren (Oct 27)
- Re: How to secure the Internet in three easy steps Christopher Schulte (Oct 27)
- RE: How to secure the Internet in three easy steps Vivien M. (Oct 27)
- RE: How to secure the Internet in three easy steps alex (Oct 28)
- RE: How to secure the Internet in three easy steps Scott Granados (Oct 28)
- Re: How to secure the Internet in three easy steps Valdis . Kletnieks (Oct 28)
- Re: How to secure the Internet in three easy steps Joe (Oct 27)
- Re: How to secure the Internet in three easy steps dgold (Oct 29)
- Re: How to secure the Internet in three easy steps Matthew S. Hallacy (Oct 27)
- Re: How to secure the Internet in three easy steps Petri Helenius (Oct 25)
- Re: How to secure the Internet in three easy steps batz (Oct 25)
- Re: How to secure the Internet in three easy steps Michael Lamoureux (Oct 25)
- Re: DNS issues various Craig Partridge (Oct 24)
- Message not available
- Re: DNS issues various Daniel Senie (Oct 25)
- Re: DNS issues various dre (Oct 24)
- Re: DNS issues various Richard A Steenbergen (Oct 24)
- Re: DNS issues various David G. Andersen (Oct 24)