North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Mark Foster
  • Date: Fri Mar 07 23:09:09 2008

Blocking port 25 outbound for dynamic users until they specifically request
it be unblocked seems to me to meet the "no undue burden" test; so would
port 22 and 23. Beyond that, I'd probably be hesitant until I either started
getting a significant number of abuse reports about a certain flavor of
traffic that I had reason to believe was used by only a tiny minority of my
own users.

Sorry, I must've missed something. Port 25 outbound (excepting ISP SMTP server) seems entirely logical to me.

Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a concern? I can only assume it's to stop clients exploited boxen being used to anonymise further telnet/ssh attempts - but have to admit this discussion is the first i've heard of it being done 'en masse'.

It'd frustrate me if I jacked into a friends Internet in order to do some legitimate SSH based server administration, I imagine...

Is this not 'reaching' or is there a genuine benefit in blocking these ports as well?