Re: How to secure the Internet in three easy steps

[dgold <dgold () FDFNet Net>]

Blocking ports 137-139 is of great benefit to the vast majority of their
customers. It is also of benefit to AT&T, as it cuts down on support
calls. Of course, documenting this would be good.

- Daniel Golding

On Sun, 27 Oct 2002, Joe wrote:

> I Second that.
>
> AT&T  blocks ports (depending where you are) but won't come
> right out and say it. On a call to them over a year ago
> while testing DSL versus Cable in San Jose, it took almost an hour to get
> them to admit that they were blocking ports 137-139, and even then there
> was no formal acknowledgement of this blocking.
> If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as
> well.
>
> No standard as I see it, depends on the child company managing the cable
> service.
>
> Just my  2?s tho
> -Joe
>
> ----- Original Message -----
> From: "Joseph Barnhart" <flaboy () fdt net>
> To: "Matthew S. Hallacy" <poptix () techmonkeys org>
> Cc: <nanog () merit edu>
> Sent: Sunday, October 27, 2002 8:46 PM
> Subject: Re: How to secure the Internet in three easy steps
>
>
> > Not really
> >
> > On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
> >
> > > On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
> > > > Sean,
> > > >
> > > > At Home's policy was that servers were administratively forbidden. It
> > > > ran proactive port scans to detect them (which of course were subject
> to
> > > > firewall ACLs) and actioned them under a complex and changing rule
> set.
> > > > It frequently left enforcement to the local partner depending on
> > > > contractual arrangements. It did not block ports. Non-transparent
> > > > proxing was used for http - you could opt out if you knew how.
> > > >
> > > > While many DSL providers have taken up filtering port 25, the cable
> > > > industry practice is mostly to leave ports alone. I know of one large
> > >
> > > Untrue, AT&T filters the following *on* the CPE:
> > >
> > > Ports  / Direction / Protocol
> > >
> > > 137-139 -> any Both UDP
> > > any -> 137-139 Both UDP
> > > 137-139 -> any Both TCP
> > > any -> 137-139 Both TCP
> > > any -> 1080 Inbound TCP
> > > any -> 1080 Inbound UDP
> > > 68 -> 67    Inbound UDP
> > > 67 -> 68    Inbound UDP
> > > any -> 5000 Inbound TCP
> > > any -> 1243 Inbound UDP
> > >
> > > And they block port 80 inbound TCP further out in their network.
> Overall,
> > > cable providers more heavily than cable providers.
> > >
> > > I'd say that AT&T represents a fair amount of the people served via
> cable
> > > internet.
> > >
> > > > Regards,
> > > >
> > > > Eric Carroll
> > >
> > > --
> > > Matthew S. Hallacy                            FUBAR, LART, BOFH
> Certified
> > > http://www.poptix.net                           GPG public key
> 0x01938203
> > >
> >
> >
> >
> > -------------------------
> > Joseph Barnhart
> > Florida Digital Turnpike
> > Network Administrator
> > http://www.fdt.net
> > http://www.agilitybb.net
> > -------------------------