[102899] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Fri Mar 7 15:09:54 2008
Date: Fri, 7 Mar 2008 15:08:51 -0500 (EST)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: NANOG <nanog@merit.edu>
In-Reply-To: <47D19D99.9000408@justinshore.com>
Errors-To: owner-nanog@merit.edu
On Fri, 7 Mar 2008, Justin Shore wrote:
> Do you block any customer-facing egress traffic at all? What about ingress?
> SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?
>
> What ICMP types do you allow or disallow?
In my previous life, I worked at a mid-sized ISP. A common practice for
bridged DSL customers was to block outbound traffic to the various Netbios
ports, along with a few other ports that were added at the time to keep
Slammer and friends under control. We also deployed filters through
RADIUS that covered much of the same ground for dialup and PPPoE DSL users
and it worked reasonably well.
I do recall weighing the merits of extending that to drop outbound SMTP to
exerything except our mail farm, but it wasn't deployed because there was
a geat deal a fear of customer backlash and that it would drive more calls
into the call center.
jms
