Re: ISP Filtering (Survey of Sorts)

[Jens Hektor <hektor () RZ RWTH-Aachen DE>]

macdaddy () pittstate edu wrote:

> 1-19 I/O  (there isn't any reason why a user should be using these ports)
>
> 61/62 I (there isn't any reason why someone should be query *any* of our
> devices via SNMP)

Should read 161/162.

> 111 I/O (talk about hack me please...)
>
> 135-139 I/O (no reason to allow this.  too much info can be gathered with
> NO log entry on the queried box.  most are misconfigured and allow access
> to way too much)
>
> 53 where possible (few client nodes should be queried for DNS.  Most of
> our users are basic dialups.  Some DSL, very little business DSL or leased
> line.  Those people plus our own DNS servers need to be allowed for.)
>
> netbus/BO ports  (let's halt the problem before it starts)

I think this is good practice.

Additionally I would suggest tftp/bootps.

> I've seriously been thinking about blocking connections TO port 25 on our
> client (non-business) nodes.  We'd still allow them to use any SMPT server

Establish a virus-scanning relay and most of them will be happy.

Bye, Jens

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, network operation & security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 4866