Application Layer Gateways
jfmezei_nanog at vaxination.ca
Sat Sep 23 17:33:19 UTC 2017
What you do with the CPE "firewall" settings depends on what sort of
ISP you are. Do you cater to geeks or aunts/grand mothers?
Whatever you do, I would suggest that you document in a place that is
easy for customers to find exactlyt what apps/protocols are open/closed
with the settings you've decided on (especially if it deviates from any
documentation available on the net for that device)
You could consider configuring it by default to protect the aunts and
grand mothers, but make sure geeks get the info on how to easily open
ports for their apps.
Also depends on what you block at the network level. If you block all
incoming calls to port 25, then blocking it at the CPE router won't add
much resilience against attacks as it is already blocked.
More information about the NANOG