nanog mailing list archives
Re: BCP for ISP to block worms at PEs and NAS
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Mon, 18 Apr 2005 02:24:06 +0000 (GMT)
On Sun, 17 Apr 2005, J.D. Falk wrote:
On 04/17/05, John Kristoff <jtk () northwestern edu> wrote:deny tcp any any range 135 139 deny udp any any range 135 netbios-ss deny tcp any any eq 445 deny udp any any eq 1026Similar as before, you are going to be removing some legitimate traffic.Is this really true? All of the ports listed above are used by LAN protocols that were never intended to communicate directly across backbone networks -- that's why VPNs were invented.
and people use them all the time across the real Internet :( It's dumb, we can argue about it's 'correctness' or 'localness' or whatever until we are blue in the face, but people still do it.
Or, is your argument that some system somewhere MIGHT ignore the offical port numbers allocated by IANA and try to pass some other kind of traffic there instead?
Certainly, ssh over tcp/80 is common, other protocols can become agile as well... people SHOULD use the IANA port numbers, in practice they don't always abide by them :(
Perhaps set the rules to permit and log first, let it run for awhile and then see what you'll be missing.Yep, this is always good advice. But don't give up just because of some naysayers rolling out the usual FUD. In the real world, security for the many outweighs the extremely unlikely edge cases of the few.
Or... use a system where your users can 'subscribe' to a 'better Internet' (define 'better Internet' as you like)
Current thread:
- Re: BCP for ISP to block worms at PEs and NAS, (continued)
- Re: BCP for ISP to block worms at PEs and NAS Sean Donelan (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS J.D. Falk (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Kim Onnel (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Randy Bush (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Sean Donelan (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS J.D. Falk (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Steven M. Bellovin (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS John Kristoff (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)