North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: How to secure the Internet in three easy steps
Blocking ports 137-139 is of great benefit to the vast majority of their customers. It is also of benefit to AT&T, as it cuts down on support calls. Of course, documenting this would be good. - Daniel Golding On Sun, 27 Oct 2002, Joe wrote: > > I Second that. > > AT&T blocks ports (depending where you are) but won't come > right out and say it. On a call to them over a year ago > while testing DSL versus Cable in San Jose, it took almost an hour to get > them to admit that they were blocking ports 137-139, and even then there > was no formal acknowledgement of this blocking. > If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as > well. > > No standard as I see it, depends on the child company managing the cable > service. > > Just my 2�s tho > -Joe > > ----- Original Message ----- > From: "Joseph Barnhart" <[email protected]> > To: "Matthew S. Hallacy" <[email protected]> > Cc: <[email protected]> > Sent: Sunday, October 27, 2002 8:46 PM > Subject: Re: How to secure the Internet in three easy steps > > > > > > Not really > > > > On Sun, 27 Oct 2002, Matthew S. Hallacy wrote: > > > > > > > > On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: > > > > > > > > Sean, > > > > > > > > At Home's policy was that servers were administratively forbidden. It > > > > ran proactive port scans to detect them (which of course were subject > to > > > > firewall ACLs) and actioned them under a complex and changing rule > set. > > > > It frequently left enforcement to the local partner depending on > > > > contractual arrangements. It did not block ports. Non-transparent > > > > proxing was used for http - you could opt out if you knew how. > > > > > > > > While many DSL providers have taken up filtering port 25, the cable > > > > industry practice is mostly to leave ports alone. I know of one large > > > > > > Untrue, AT&T filters the following *on* the CPE: > > > > > > Ports / Direction / Protocol > > > > > > 137-139 -> any Both UDP > > > any -> 137-139 Both UDP > > > 137-139 -> any Both TCP > > > any -> 137-139 Both TCP > > > any -> 1080 Inbound TCP > > > any -> 1080 Inbound UDP > > > 68 -> 67 Inbound UDP > > > 67 -> 68 Inbound UDP > > > any -> 5000 Inbound TCP > > > any -> 1243 Inbound UDP > > > > > > And they block port 80 inbound TCP further out in their network. > Overall, > > > cable providers more heavily than cable providers. > > > > > > I'd say that AT&T represents a fair amount of the people served via > cable > > > internet. > > > > > > > > > > > Regards, > > > > > > > > Eric Carroll > > > > > > -- > > > Matthew S. Hallacy FUBAR, LART, BOFH > Certified > > > http://www.poptix.net GPG public key > 0x01938203 > > > > > > > > > > > ------------------------- > > Joseph Barnhart > > Florida Digital Turnpike > > Network Administrator > > http://www.fdt.net > > http://www.agilitybb.net > > ------------------------- > > > > > > > > > >
|