[79883] in North American Network Operators' Group
Re: BCP for ISP to block worms at PEs and NAS
daemon@ATHENA.MIT.EDU (J.D. Falk)
Sun Apr 17 16:04:23 2005
Date: Sun, 17 Apr 2005 13:00:30 -0700
From: "J.D. Falk" <jdfalk@cybernothing.org>
To: nanog@merit.edu
In-Reply-To: <20050417190407.68054136C82@aharp.ittns.northwestern.edu>
Errors-To: owner-nanog@merit.edu
On 04/17/05, John Kristoff <jtk@northwestern.edu> wrote:
> > deny tcp any any range 135 139
> > deny udp any any range 135 netbios-ss
> > deny tcp any any eq 445
> > deny udp any any eq 1026
>
> Similar as before, you are going to be removing some legitimate
> traffic.
Is this really true? All of the ports listed above are used by
LAN protocols that were never intended to communicate directly
across backbone networks -- that's why VPNs were invented.
Or, is your argument that some system somewhere MIGHT ignore the
offical port numbers allocated by IANA and try to pass some
other kind of traffic there instead?
> Perhaps set the rules to permit and log first, let it run for awhile
> and then see what you'll be missing.
Yep, this is always good advice. But don't give up just because
of some naysayers rolling out the usual FUD. In the real world,
security for the many outweighs the extremely unlikely edge cases
of the few.
--
J.D. Falk As a carpenter bends the seat of a chariot
<jdfalk@cybernothing.org> I bend this frenzy round my heart.
