North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Sean Donelan
  • Date: Mon Mar 10 13:07:15 2008

On Fri, 7 Mar 2008, Scott Weeks wrote: 
To me there is no question of whether or not you filter traffic for
residential broadband customers.


SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be an undue burden on users, and would help keep botnets in check.
------------------------------------------------

Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!


Depends on how you ask the questions.

How about: Should a statefull firewall be provided for casual broadband dynamic Internet access connections by default? Users may change the default settings of the stateful firewall as they choose.
1. Unsolicited inbound (to user LAN) traffic

Are there LAN-only protocols and other data packets which shouldn't be accepted on WAN Internet access links without prior coordination (if ever)?
1. Anti-spoofing controls of source addresses
2. Proxy/gratitious ARP, ICMP redirects, DHCP server->client, RIP?
3. "Local" multicast data and broadcasts
4. "Sanity" checks of IP headers (i.e. source==destination,
loopback, etc) which should never appear on the wire
5. Layer 2 non-Internet (non-IP, non-IPv6, non-ARP, non-PPPOE)

Are there some protocols that should have prior coordination when using some Internet access types, e.g. dynamic or unauthenticated connections?
1. outbound to off-net SMTP (port 25) instead of MSA (port 587)
2. NetBios over TCP, the exploding Microsoft protocol?