On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.co...@gmail.com> wrote:
> Working with an ISP, we recently deployed Comtrend VDSL routers, and > Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by > Broadcom, and as such probably use the same underlying Broadcom operating > system if I had to guess. They are different chipsets though as one is from > VDSL2, and the other for GPON > > By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs > enabled: > > FTP > H323 > IPSec > IRC > PPTP > RTSP > SIP > TFTP > > On the Acatel-Lucent (Nokia) ONT, the following came enabled by default > from the factory: > > FTP > H323 > IPSEC > L2TP > PPTP > RTSP > SIP > TFTP > > > The only difference between these two is the Comtrend has an IRC as a ALG, > and Acatel has L2TP as a protocol type. The other seven ALG protocols as > the same. > > My question is in general, is it a good idea to disable all Application > Layer Gateways? > Yes. ALG are frequently too smart for their own good. > The only ALG I have had experience with was a SIP ALG. Almost all SIP > providers strongly recommend you disable SIP ALGs as it does more harm and > breaks more things than it does good, so we always disable SIP ALG. But > what about the other protocols on these two? Do you think they should be > enabled or disabled by default? > > I am leaning towards disabling them all for our standard config. >
