How to secure the Internet in three easy steps
Joseph Barnhart
flaboy at fdt.net
Mon Oct 28 01:46:08 UTC 2002
Not really
On Sun, 27 Oct 2002, Matthew S. Hallacy wrote:
>
> On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote:
> >
> > Sean,
> >
> > At Home's policy was that servers were administratively forbidden. It
> > ran proactive port scans to detect them (which of course were subject to
> > firewall ACLs) and actioned them under a complex and changing rule set.
> > It frequently left enforcement to the local partner depending on
> > contractual arrangements. It did not block ports. Non-transparent
> > proxing was used for http - you could opt out if you knew how.
> >
> > While many DSL providers have taken up filtering port 25, the cable
> > industry practice is mostly to leave ports alone. I know of one large
>
> Untrue, AT&T filters the following *on* the CPE:
>
> Ports / Direction / Protocol
>
> 137-139 -> any Both UDP
> any -> 137-139 Both UDP
> 137-139 -> any Both TCP
> any -> 137-139 Both TCP
> any -> 1080 Inbound TCP
> any -> 1080 Inbound UDP
> 68 -> 67 Inbound UDP
> 67 -> 68 Inbound UDP
> any -> 5000 Inbound TCP
> any -> 1243 Inbound UDP
>
> And they block port 80 inbound TCP further out in their network. Overall,
> cable providers more heavily than cable providers.
>
> I'd say that AT&T represents a fair amount of the people served via cable
> internet.
>
> >
> > Regards,
> >
> > Eric Carroll
>
> --
> Matthew S. Hallacy FUBAR, LART, BOFH Certified
> http://www.poptix.net GPG public key 0x01938203
>
-------------------------
Joseph Barnhart
Florida Digital Turnpike
Network Administrator
http://www.fdt.net
http://www.agilitybb.net
-------------------------
More information about the NANOG
mailing list