[102921] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Mark Foster)
Fri Mar 7 23:07:06 2008
Date: Sat, 8 Mar 2008 17:02:18 +1300 (NZDT)
From: Mark Foster <blakjak@blakjak.net>
To: Dave Pooser <dave.nanog@alfordmedia.com>
Cc: nanog@merit.edu
In-Reply-To: <C3F76656.10D78D%dave.nanog@alfordmedia.com>
Errors-To: owner-nanog@merit.edu
> Blocking port 25 outbound for dynamic users until they specifically request
> it be unblocked seems to me to meet the "no undue burden" test; so would
> port 22 and 23. Beyond that, I'd probably be hesitant until I either started
> getting a significant number of abuse reports about a certain flavor of
> traffic that I had reason to believe was used by only a tiny minority of my
> own users.
>
Sorry, I must've missed something.
Port 25 outbound (excepting ISP SMTP server) seems entirely logical to me.
Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
concern? I can only assume it's to stop clients exploited boxen being used
to anonymise further telnet/ssh attempts - but have to admit this
discussion is the first i've heard of it being done 'en masse'.
It'd frustrate me if I jacked into a friends Internet in order to do some
legitimate SSH based server administration, I imagine...
Is this not 'reaching' or is there a genuine benefit in blocking these
ports as well?
Mark.
