BCP for ISP to block worms at PEs and NAS

• Previous message (by thread): BCP for ISP to block worms at PEs and NAS
• Next message (by thread): BCP for ISP to block worms at PEs and NAS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/17/05, John Kristoff <jtk at northwestern.edu> wrote: 

> >  deny   tcp any any range 135 139
> >  deny   udp any any range 135 netbios-ss
> >  deny   tcp any any eq 445
> >  deny   udp any any eq 1026
> 
> Similar as before, you are going to be removing some legitimate
> traffic.

	Is this really true?  All of the ports listed above are used by
	LAN protocols that were never intended to communicate directly 
	across backbone networks -- that's why VPNs were invented.

	Or, is your argument that some system somewhere MIGHT ignore the
	offical port numbers allocated by IANA and try to pass some
	other kind of traffic there instead?

> Perhaps set the rules to permit and log first, let it run for awhile
> and then see what you'll be missing.

	Yep, this is always good advice.  But don't give up just because
	of some naysayers rolling out the usual FUD.  In the real world, 
	security for the many outweighs the extremely unlikely edge cases 
	of the few.

-- 
J.D. Falk                           As a carpenter bends the seat of a chariot
<jdfalk at cybernothing.org>                    I bend this frenzy round my heart.

• Previous message (by thread): BCP for ISP to block worms at PEs and NAS
• Next message (by thread): BCP for ISP to block worms at PEs and NAS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]