Providers removing blocks on port 135?

Fri Sep 19 17:49:17 UTC 2003

> I disagree.  In my opinion a NSP shouldn't filter traffic unless one of
> its customers requests it.  However I strongly believe that an ISP (where
> it's customers are Joe Blow average citizen and Susy Homemaker) should
> take every reasonable step to protect it's users from malicious traffic
> and that includes filtering ports.  For example I have no reservation
> about NATing basic dialup users.  I also have no problem with filtering
> ports for services they shouldn't be running on a dialup connection (HTTP,
> FTP, DNS)  or for services that IMHO have no business on the public
> internet (including every single Microsoft port I can identify).  To not
> do so is IMHO to run a network in an extremely negligent manner.
>
Why do you get to decide that, I can't, from a hotel room, call my ISP and
put up a web server on my dialup connection so someone behind a firewall
can retrieve a document I desperately need to get to them?  Why _SHOULDN'T_
I run a web server to do this over a dialup connection?  Why do you get
to dictate to _ANYONE_ what things they can and can't do with their most
portable internet access?  How can you say that it is negligent to refuse
to DOS your customers unless they request it?  (blocking traffic to me
that I want is every bit as much a denial of service as flooding my link).

> We do this very thing with email.  We filter known malicious messages,
> attachments, and spam from email.  I don't think there's a reasonable
> person among us that can complain about that.  Why not do it to network
> traffic then?  If we should allow every bit of traffic to pass unmolested
> by ACLs then we should allow all email to pass by unmolested by
> anti-virus  and spam checks.  It's a two-way street.
>

I leave it to the community to decide whether I am a reasonable person or
not, but, generally, I tend to think that I am viewed as such.
However, I would complain about the parctices you describe above
if I was your customer.  If I ask you to filter SPAM, fine.  If I ask you 
not
to filter SPAM, then I should receive every email addressed to me.  If I
cannot, then, I won't be your customer.  As far as I'm concerned, if an ISP
wants to run anti-virus or spam-checks, they should run them as an opt-in
value added service, _NOT_ as a "we're deleting your mail for you whether
you like it or not" thing.

>> On the other hand, what's a provider to do when their access hardware
>> can't deal with a pathological set of flows or arp entries? There isn't
[snip]
>
> A good point.

Yes.   I responded to this in a previous post.  We must do what we must do
temporarily to keep things running.  However, breaking the net is not a long
term solution.  We must work to solve the underlying problem or it just 
becomes
an arms-race where eventually, no services are useful.

Owen