nanog mailing list archives
Re: How to secure the Internet in three easy steps
From: dgold <dgold () FDFNet Net>
Date: Tue, 29 Oct 2002 11:49:20 -0600 (CST)
Blocking ports 137-139 is of great benefit to the vast majority of their customers. It is also of benefit to AT&T, as it cuts down on support calls. Of course, documenting this would be good. - Daniel Golding On Sun, 27 Oct 2002, Joe wrote:
I Second that. AT&T blocks ports (depending where you are) but won't come right out and say it. On a call to them over a year ago while testing DSL versus Cable in San Jose, it took almost an hour to get them to admit that they were blocking ports 137-139, and even then there was no formal acknowledgement of this blocking. If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as well. No standard as I see it, depends on the child company managing the cable service. Just my 2?s tho -Joe ----- Original Message ----- From: "Joseph Barnhart" <flaboy () fdt net> To: "Matthew S. Hallacy" <poptix () techmonkeys org> Cc: <nanog () merit edu> Sent: Sunday, October 27, 2002 8:46 PM Subject: Re: How to secure the Internet in three easy stepsNot really On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subjecttofirewall ACLs) and actioned them under a complex and changing ruleset.It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one largeUntrue, AT&T filters the following *on* the CPE: Ports / Direction / Protocol 137-139 -> any Both UDP any -> 137-139 Both UDP 137-139 -> any Both TCP any -> 137-139 Both TCP any -> 1080 Inbound TCP any -> 1080 Inbound UDP 68 -> 67 Inbound UDP 67 -> 68 Inbound UDP any -> 5000 Inbound TCP any -> 1243 Inbound UDP And they block port 80 inbound TCP further out in their network.Overall,cable providers more heavily than cable providers. I'd say that AT&T represents a fair amount of the people served viacableinternet.Regards, Eric Carroll-- Matthew S. Hallacy FUBAR, LART, BOFHCertifiedhttp://www.poptix.net GPG public key0x01938203------------------------- Joseph Barnhart Florida Digital Turnpike Network Administrator http://www.fdt.net http://www.agilitybb.net -------------------------
Current thread:
- RE: How to secure the Internet in three easy steps, (continued)
- RE: How to secure the Internet in three easy steps Eric M. Carroll (Oct 27)
- Re: How to secure the Internet in three easy steps Matthew S. Hallacy (Oct 27)
- Re: How to secure the Internet in three easy steps Joseph Barnhart (Oct 27)
- Re: How to secure the Internet in three easy steps William Warren (Oct 27)
- Re: How to secure the Internet in three easy steps Christopher Schulte (Oct 27)
- RE: How to secure the Internet in three easy steps Vivien M. (Oct 27)
- RE: How to secure the Internet in three easy steps alex (Oct 28)
- RE: How to secure the Internet in three easy steps Scott Granados (Oct 28)
- Re: How to secure the Internet in three easy steps Valdis . Kletnieks (Oct 28)
- Re: How to secure the Internet in three easy steps Joe (Oct 27)
- Re: How to secure the Internet in three easy steps dgold (Oct 29)
- Re: How to secure the Internet in three easy steps Matthew S. Hallacy (Oct 27)
- Re: How to secure the Internet in three easy steps Petri Helenius (Oct 25)
- Re: How to secure the Internet in three easy steps batz (Oct 25)
- Re: How to secure the Internet in three easy steps Michael Lamoureux (Oct 25)
- Re: DNS issues various Craig Partridge (Oct 24)
- Message not available
- Re: DNS issues various Daniel Senie (Oct 25)
- Re: DNS issues various dre (Oct 24)
- Re: DNS issues various Richard A Steenbergen (Oct 24)
- Re: DNS issues various David G. Andersen (Oct 24)
- Re: DNS issues various Kevin Houle (Oct 24)