Re: BCP for ISP to block worms at PEs and NAS

["J.D. Falk" <jdfalk () cybernothing org>]

On 04/17/05, John Kristoff <jtk () northwestern edu> wrote: 

> >  deny   tcp any any range 135 139
> >  deny   udp any any range 135 netbios-ss
> >  deny   tcp any any eq 445
> >  deny   udp any any eq 1026
>
> Similar as before, you are going to be removing some legitimate
> traffic.

        Is this really true?  All of the ports listed above are used by
        LAN protocols that were never intended to communicate directly 
        across backbone networks -- that's why VPNs were invented.

        Or, is your argument that some system somewhere MIGHT ignore the
        offical port numbers allocated by IANA and try to pass some
        other kind of traffic there instead?

> Perhaps set the rules to permit and log first, let it run for awhile
> and then see what you'll be missing.

        Yep, this is always good advice.  But don't give up just because
        of some naysayers rolling out the usual FUD.  In the real world, 
        security for the many outweighs the extremely unlikely edge cases 
        of the few.

-- 
J.D. Falk                           As a carpenter bends the seat of a chariot
<jdfalk () cybernothing org>                    I bend this frenzy round my heart.