Application Layer Gateways
Colton Conor
colton.conor at gmail.com
Sat Sep 23 14:13:33 UTC 2017
So you do recommend we disable them all? Just not sure why big vendors like
Alcatel and Comtrend would have them enabled by default if they do more
harm than good?
On Thu, Sep 21, 2017 at 11:02 PM, Ca By <cb.list6 at gmail.com> wrote:
>
> On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor at gmail.com>
> wrote:
>
>> Working with an ISP, we recently deployed Comtrend VDSL routers, and
>> Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by
>> Broadcom, and as such probably use the same underlying Broadcom operating
>> system if I had to guess. They are different chipsets though as one is
>> from
>> VDSL2, and the other for GPON
>>
>> By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs
>> enabled:
>>
>> FTP
>> H323
>> IPSec
>> IRC
>> PPTP
>> RTSP
>> SIP
>> TFTP
>>
>> On the Acatel-Lucent (Nokia) ONT, the following came enabled by default
>> from the factory:
>>
>> FTP
>> H323
>> IPSEC
>> L2TP
>> PPTP
>> RTSP
>> SIP
>> TFTP
>>
>>
>> The only difference between these two is the Comtrend has an IRC as a ALG,
>> and Acatel has L2TP as a protocol type. The other seven ALG protocols as
>> the same.
>>
>> My question is in general, is it a good idea to disable all Application
>> Layer Gateways?
>>
>
> Yes. ALG are frequently too smart for their own good.
>
>
>
>> The only ALG I have had experience with was a SIP ALG. Almost all SIP
>> providers strongly recommend you disable SIP ALGs as it does more harm and
>> breaks more things than it does good, so we always disable SIP ALG. But
>> what about the other protocols on these two? Do you think they should be
>> enabled or disabled by default?
>>
>> I am leaning towards disabling them all for our standard config.
>>
>
More information about the NANOG
mailing list