nanog mailing list archives
Re: Customer-facing ACLs
From: Sean Donelan <sean () donelan com>
Date: Mon, 10 Mar 2008 12:57:28 -0400 (EDT)
On Fri, 7 Mar 2008, Scott Weeks wrote:
To me there is no question of whether or not you filter traffic for residential broadband customers.SBC in my area (Dallas) went from wide open to outbound 25 blocked by default/opened on request. I think doing the same thing with port 22 would hardly be an undue burden on users, and would help keep botnets in check. ------------------------------------------------ Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!
Depends on how you ask the questions.How about: Should a statefull firewall be provided for casual broadband dynamic Internet access connections by default? Users may change the default settings of the stateful firewall as they choose.
1. Unsolicited inbound (to user LAN) trafficAre there LAN-only protocols and other data packets which shouldn't be accepted on WAN Internet access links without prior coordination (if ever)?
1. Anti-spoofing controls of source addresses 2. Proxy/gratitious ARP, ICMP redirects, DHCP server->client, RIP? 3. "Local" multicast data and broadcasts 4. "Sanity" checks of IP headers (i.e. source==destination, loopback, etc) which should never appear on the wire 5. Layer 2 non-Internet (non-IP, non-IPv6, non-ARP, non-PPPOE)Are there some protocols that should have prior coordination when using some Internet access types, e.g. dynamic or unauthenticated connections?
1. outbound to off-net SMTP (port 25) instead of MSA (port 587) 2. NetBios over TCP, the exploding Microsoft protocol?
Current thread:
- Re: NANOG laptops (was Re: Customer-facing ACLs), (continued)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Marshall Eubanks (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) William Allen Simpson (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Mark Prior (Mar 10)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Bill Woodcock (Mar 09)
- Re: Customer-facing ACLs Justin Shore (Mar 09)
- Re: Customer-facing ACLs Adrian Chadd (Mar 08)
- Re: Customer-facing ACLs Justin Shore (Mar 08)
- Re: Customer-facing ACLs Chris Marlatt (Mar 10)
- Re: Customer-facing ACLs Adrian Chadd (Mar 10)
- Re: Customer-facing ACLs Justin Shore (Mar 10)
- Re: Customer-facing ACLs Marshall Eubanks (Mar 18)
- Re: Customer-facing ACLs Jon Lewis (Mar 18)
- Re: Customer-facing ACLs Adrian Chadd (Mar 18)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Adrian Chadd (Mar 07)
- Re: Customer-facing ACLs Sean Donelan (Mar 10)