[53029] in North American Network Operators' Group
Re: How to secure the Internet in three easy steps
daemon@ATHENA.MIT.EDU (Joseph Barnhart)
Sun Oct 27 20:46:51 2002
Date: Sun, 27 Oct 2002 20:46:08 -0500 (EST)
From: Joseph Barnhart <flaboy@fdt.net>
To: "Matthew S. Hallacy" <poptix@techmonkeys.org>
Cc: nanog@merit.edu
In-Reply-To: <20021028014210.GC6157@techmonkeys.org>
Errors-To: owner-nanog-outgoing@merit.edu
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
>
> On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
> >
> > Sean,
> >
> > At Home's policy was that servers were administratively forbidden. It
> > ran proactive port scans to detect them (which of course were subject to
> > firewall ACLs) and actioned them under a complex and changing rule set.
> > It frequently left enforcement to the local partner depending on
> > contractual arrangements. It did not block ports. Non-transparent
> > proxing was used for http - you could opt out if you knew how.
> >
> > While many DSL providers have taken up filtering port 25, the cable
> > industry practice is mostly to leave ports alone. I know of one large
>
> Untrue, AT&T filters the following *on* the CPE:
>
> Ports / Direction / Protocol
>
> 137-139 -> any Both UDP
> any -> 137-139 Both UDP
> 137-139 -> any Both TCP
> any -> 137-139 Both TCP
> any -> 1080 Inbound TCP
> any -> 1080 Inbound UDP
> 68 -> 67 Inbound UDP
> 67 -> 68 Inbound UDP
> any -> 5000 Inbound TCP
> any -> 1243 Inbound UDP
>
> And they block port 80 inbound TCP further out in their network. Overall,
> cable providers more heavily than cable providers.
>
> I'd say that AT&T represents a fair amount of the people served via cable
> internet.
>
> >
> > Regards,
> >
> > Eric Carroll
>
> --
> Matthew S. Hallacy FUBAR, LART, BOFH Certified
> http://www.poptix.net GPG public key 0x01938203
>
-------------------------
Joseph Barnhart
Florida Digital Turnpike
Network Administrator
http://www.fdt.net
http://www.agilitybb.net
-------------------------
