Re: Customer-facing ACLs

[Sean Donelan <sean () donelan com>]

On Fri, 7 Mar 2008, Scott Weeks wrote:
> > To me there is no question of whether or not you filter traffic for
> > residential broadband customers.
>
> SBC in my area (Dallas) went from wide open to outbound 25 blocked by
> default/opened on request. I think doing the same thing with port 22 would
> hardly be an undue burden on users, and would help keep botnets in check.
> ------------------------------------------------
>
> Might as well do TCP 20, 21 and 23, too.  Woah, that slope's getting slippery!


Depends on how you ask the questions.

How about: Should a statefull firewall be provided for casual broadband 
dynamic Internet access connections by default?  Users may change the 
default settings of the stateful firewall as they choose.
        1. Unsolicited inbound (to user LAN) traffic

Are there LAN-only protocols and other data packets which shouldn't be 
accepted on WAN Internet access links without prior coordination (if 
ever)?
        1. Anti-spoofing controls of source addresses
        2. Proxy/gratitious ARP, ICMP redirects, DHCP server->client, RIP?
        3. "Local" multicast data and broadcasts
        4. "Sanity" checks of IP headers (i.e. source==destination,
                loopback, etc) which should never appear on the wire
        5. Layer 2 non-Internet (non-IP, non-IPv6, non-ARP, non-PPPOE)

Are there some protocols that should have prior coordination when using 
some Internet access types, e.g. dynamic or unauthenticated connections?
        1. outbound to off-net SMTP (port 25) instead of MSA (port 587)
        2. NetBios over TCP, the exploding Microsoft protocol?