[53028] in North American Network Operators' Group
Re: How to secure the Internet in three easy steps
daemon@ATHENA.MIT.EDU (Matthew S. Hallacy)
Sun Oct 27 20:42:01 2002
Date: Sun, 27 Oct 2002 19:42:10 -0600
From: "Matthew S. Hallacy" <poptix@techmonkeys.org>
To: nanog@merit.edu
In-Reply-To: <002601c27def$fe215bd0$7e02a8c0@emc2>
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
>
> Sean,
>
> At Home's policy was that servers were administratively forbidden. It
> ran proactive port scans to detect them (which of course were subject to
> firewall ACLs) and actioned them under a complex and changing rule set.
> It frequently left enforcement to the local partner depending on
> contractual arrangements. It did not block ports. Non-transparent
> proxing was used for http - you could opt out if you knew how.
>
> While many DSL providers have taken up filtering port 25, the cable
> industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP
any -> 137-139 Both UDP
137-139 -> any Both TCP
any -> 137-139 Both TCP
any -> 1080 Inbound TCP
any -> 1080 Inbound UDP
68 -> 67 Inbound UDP
67 -> 68 Inbound UDP
any -> 5000 Inbound TCP
any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall,
cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable
internet.
>
> Regards,
>
> Eric Carroll
--
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://www.poptix.net GPG public key 0x01938203
