North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BCP for ISP to block worms at PEs and NAS
On Sun, 17 Apr 2005, J.D. Falk wrote: > > On 04/17/05, John Kristoff <[email protected]> wrote: > > > > deny tcp any any range 135 139 > > > deny udp any any range 135 netbios-ss > > > deny tcp any any eq 445 > > > deny udp any any eq 1026 > > > > Similar as before, you are going to be removing some legitimate > > traffic. > > Is this really true? All of the ports listed above are used by > LAN protocols that were never intended to communicate directly > across backbone networks -- that's why VPNs were invented. and people use them all the time across the real Internet :( It's dumb, we can argue about it's 'correctness' or 'localness' or whatever until we are blue in the face, but people still do it. > > Or, is your argument that some system somewhere MIGHT ignore the > offical port numbers allocated by IANA and try to pass some > other kind of traffic there instead? > Certainly, ssh over tcp/80 is common, other protocols can become agile as well... people SHOULD use the IANA port numbers, in practice they don't always abide by them :( > > Perhaps set the rules to permit and log first, let it run for awhile > > and then see what you'll be missing. > > Yep, this is always good advice. But don't give up just because > of some naysayers rolling out the usual FUD. In the real world, > security for the many outweighs the extremely unlikely edge cases > of the few. > Or... use a system where your users can 'subscribe' to a 'better Internet' (define 'better Internet' as you like)
|