nanog mailing list archives
Re: Customer-facing ACLs
From: "Justin M. Streiner" <streiner () cluebyfour org>
Date: Fri, 7 Mar 2008 15:08:51 -0500 (EST)
On Fri, 7 Mar 2008, Justin Shore wrote:
Do you block any customer-facing egress traffic at all? What about ingress? SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?What ICMP types do you allow or disallow?
In my previous life, I worked at a mid-sized ISP. A common practice for bridged DSL customers was to block outbound traffic to the various Netbios ports, along with a few other ports that were added at the time to keep Slammer and friends under control. We also deployed filters through RADIUS that covered much of the same ground for dialup and PPPoE DSL users and it worked reasonably well.
I do recall weighing the merits of extending that to drop outbound SMTP to exerything except our mail farm, but it wasn't deployed because there was a geat deal a fear of customer backlash and that it would drive more calls into the call center.
jms
Current thread:
- Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Justin M. Streiner (Mar 07)
- Re: Customer-facing ACLs Kameron Gasso (Mar 07)
- RE: Customer-facing ACLs Frank Bulk (Mar 07)
- Re: Customer-facing ACLs Kameron Gasso (Mar 07)
- Re: Customer-facing ACLs Valdis . Kletnieks (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- RE: Customer-facing ACLs Tim Sanderson (Mar 07)
- Re: Customer-facing ACLs Dan Armstrong (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Robert Beverly (Mar 07)
- Re: Customer-facing ACLs Danny McPherson (Mar 07)
- Re: Customer-facing ACLs Mark Tinka (Mar 08)
- Re: Customer-facing ACLs Adrian Chadd (Mar 10)
(Thread continues...)
- Re: Customer-facing ACLs Justin M. Streiner (Mar 07)