How to secure the Internet in three easy steps
Matthew S. Hallacy
poptix at techmonkeys.org
Mon Oct 28 01:42:10 UTC 2002
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
>
> Sean,
>
> At Home's policy was that servers were administratively forbidden. It
> ran proactive port scans to detect them (which of course were subject to
> firewall ACLs) and actioned them under a complex and changing rule set.
> It frequently left enforcement to the local partner depending on
> contractual arrangements. It did not block ports. Non-transparent
> proxing was used for http - you could opt out if you knew how.
>
> While many DSL providers have taken up filtering port 25, the cable
> industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP
any -> 137-139 Both UDP
137-139 -> any Both TCP
any -> 137-139 Both TCP
any -> 1080 Inbound TCP
any -> 1080 Inbound UDP
68 -> 67 Inbound UDP
67 -> 68 Inbound UDP
any -> 5000 Inbound TCP
any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall,
cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable
internet.
>
> Regards,
>
> Eric Carroll
--
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://www.poptix.net GPG public key 0x01938203
More information about the NANOG
mailing list