On Tue, Mar 18, 2008, Jon Lewis wrote:
> >The solution, of course, is to hire consultants (SIBR if possible) to port
> >everything to port 80 !
>
> That's been going on for years. Back when it was common for ISPs to run
> squid servers and transparently proxy to them (probably around 2000), I
On Tue, 18 Mar 2008, Marshall Eubanks wrote:
If it becomes normal for home users to only have 80 and 443, then how can I
innovate and design something that needs a new protocol ? What happens to
the new voice and video services for example ?
The DOD has already been faced with this (I know
On Mar 18, 2008, at 3:58 PM, Andy Davidson wrote:
On 7 Mar 2008, at 23:57, Scott Weeks wrote:
Might as well do TCP 20, 21 and 23, too. Woah, that slope's
getting slippery!
Oh, no, this one again.
*** The Internet Is Not The Web. ***
Could someone put that onto a t-shirt ?
If it bec
On 7 Mar 2008, at 23:57, Scott Weeks wrote:
Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting
slippery!
Oh, no, this one again.
*** The Internet Is Not The Web. ***
Could someone put that onto a t-shirt ?
If it becomes normal for home users to only have 80 and 443, th
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Weeks
Sent: Wednesday, March 12, 2008 6:39 PM
To: nanog@merit.edu
Subject: RE: Customer-facing ACLs
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and "virus" ports and have never had a complaint or a problem. We
do have a more sophisticated residential or large-biz customers ask, but
--
ts.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Weeks
Sent: Tuesday, March 11, 2008 9:35 PM
To: nanog@merit.edu
Subject: RE: Customer-facing ACLs
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied t
I'd like to ask the same question of you that I just did to Chris.
How'd you implement that or has it been there since the network was new?
I would suggest a good resource is the MAAWG papers, and even though
you are stretched thin, consider attending a MAAWG meeting. MAAWG has
a lot of membe
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and "virus" ports and have never had a complaint or a problem. We
do have a more sophisticated residential or large-biz customers ask, but
-
--- [EMAIL PROTECTED] wrote:
uunet dialup has blocked port25 in both directions since 2002...
little to no complaints. (well, they may have received complaints
since I left, but... thank John StClair for the work behind that
filtering actually.)
-
I'd b
Apologies for the delay...
--- [EMAIL PROTECTED] wrote:
On Mon, 10 Mar 2008, Scott Weeks wrote:
> The default policy is we allow eveything. It takes no explaining.
If you don't bother to explain to the same customers who you believe
couldn't figure out how to change the default settings,
On Tue, Mar 11, 2008 at 2:27 AM, Jo Rhett <[EMAIL PROTECTED]> wrote:
>
> Justin Shore wrote:
> > I'm assuming everyone uses uRPF at all their edges already so that
> > eliminates the need for specific ACEs with ingress/egress network
> > verification checks.
>
> ha. I only wish that was true
Justin Shore wrote:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
ha. I only wish that was true.
We do filter all customer ports for IPs we believe from them, but darn
few other prov
:
Those using Google for SMTP can still use their ISP's SMTP servers for
outbound
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ang
Kah Yik
Sent: Monday, March 10, 2008 7:40 PM
To: Andy Dills
Cc: nanog@merit.edu
Subject: Re: Customer-fa
Those using Google for SMTP can still use their ISP's SMTP servers for
outbound
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ang
Kah Yik
Sent: Monday, March 10, 2008 7:40 PM
To: Andy Dills
Cc: nanog@merit.edu
Subject: Re: Customer-f
erit.edu
Subject: Re: Customer-facing ACLs
On Mon, 10 Mar 2008, Scott Weeks wrote:
> The hard part is I now always take over networks that have been in
> operation a long time and enabling these policies can be very painful
> after the fact. Establishing them when the network is new is a
>
Ang Kah Yik wrote:
However, considering the number of mobile workers out there who send
email via their laptops to corporate SMTP servers, won't blocking
outbound SMTP affect them?
After all, there are also those who frequently move from place to place
so they're going to have to keep chan
I've attempted to summarise the replies I found useful in the Wiki:
http://nanog.cluepon.net/index.php/MailTopics#Customer-Facing_ACLs
My personal observations:
* More information about what networks are doing would be nice!
* More data points about probes/scans/etc would be nice!
* Filtering t
On Mon, Mar 10, 2008 at 7:58 PM, Ang Kah Yik <[EMAIL PROTECTED]> wrote:
>
> Hi Justin (and all others on-list)
>
> I understand your grounds for blocking outbound SMTP for your customers
> (especially those on dynamic IP connections).
> It probably will do good to block infected customers that
On Mon, 10 Mar 2008, Scott Weeks wrote:
The default policy is we allow eveything. It takes no explaining.
If you don't bother to explain to the same customers who you believe
couldn't figure out how to change the default settings, what the
risks and how to protect their computers on the Int
Hi Andy (and all who responded),
Thanks for the heads-up on the redirection on SMTP traffic. I've yet to
see an implementation of it but I agree that it's a possible solution.
As for the issue I raised previously, perhaps corporate users isn't a
good example but what about users of email ser
On Tue, 11 Mar 2008, Ang Kah Yik wrote:
>
> Hi Justin (and all others on-list)
>
> I understand your grounds for blocking outbound SMTP for your customers
> (especially those on dynamic IP connections).
> It probably will do good to block infected customers that are spewing spam all
> over the
-- [EMAIL PROTECTED] wrote: --
On Mon, 10 Mar 2008, Scott Weeks wrote:
> The hard part is I now always take over networks that have been in
> operation a long time and enabling these policies can be very painful
> after the fact. Establishing them when the network is new is a
On Mon, 10 Mar 2008, Scott Weeks wrote:
The hard part is I now always take over networks that have been in
operation a long time and enabling these policies can be very painful
after the fact. Establishing them when the network is new is a
different story.
Whatever you decide, whether you k
Long response with answers inline...
--- [EMAIL PROTECTED] wrote:---
> Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!
Depends on how you ask the questions.
How about: Should a statefull firewall be provided for casual broadband
dynamic
On Fri, 7 Mar 2008, Scott Weeks wrote:
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be
Adrian Chadd wrote:
Does anyone have any handy links to actual raw data and papers about this?
I'm sure we've all got our own personal datapoints to support automated
network probes but I'd prefer to stuff something slightly more concrete
and official(!) into the Wiki.
SANS ISC might have som
> >Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
> >are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
> >23 too; I think it's used about as rarely by "normal" customers as SSH is.
> >
>
> Depending on the ip space I find FTP brute force attac
Dave Pooser wrote:
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think it's used about as rarely by "normal" customers as SSH is.
Depending on the ip space I find FTP brute forc
William Allen Simpson wrote:
Marshall Eubanks wrote:
I used to count the proportion of Mac laptops in the room (or, at
least, my row) to pass the time when I was bored.
I remember at the 1999 Washington IETF I saw exactly one, and I
could hear people whisper about it around me.
I used
Marshall Eubanks wrote:
I used to count the proportion of Mac laptops in the room (or, at least,
my row) to pass the time when I was bored.
I remember
at the 1999 Washington IETF I saw exactly one, and I
could hear people whisper about it around me.
I used to attend with various Power
On Sun, 9 Mar 2008, Randy Bush wrote:
> and i lived through duo, hinote, viao, thinkpad, alienware, and now mac.
> i keep the alienware because it has real graphics, 1920x1024, as
> opposed to the mac.
There was a guy from Amazon at the San Jose meeting who'd transplanted an
u
definitely agree with supermicro, freebsd, zfs for servers. it rocks!
and i lived through duo, hinote, viao, thinkpad, alienware, and now mac.
i keep the alienware because it has real graphics, 1920x1024, as
opposed to the mac.
on the alienware, i run winxp with cygwin as host, vmware, and the
> Macbook Pro (all of IANA (with one recent exception) use Macs of one form
> or another).
All of PCH uses MacBook Pros. Except Gaurab, who uses a MacBook Air. :-)
> > In the good ole days it seemed like 99% were PCs & maybe a couple were
> > reinstalled with some form of unix
Dave Pooser wrote:
I can understand the logic of dropping the port, but theres some
additional thought involved when looking at Port 22 - maybe i'm not
well-read enough, but the bots I've seen that are doing SSH scans, etc,
are not usually on Windows systems. I can figure them working on Linux,
On 3/9/08, Jason Lixfeld <[EMAIL PROTECTED]> wrote:
>
> So the overwhelming question for me is why? Is it simply the fact
> that the native *nix underpinnings are where most users (within the
> aforementioned demographic) spend most of their time anyway?
>
> That's what did it for me - repeat
my laptop, and both my desktops, run KDE. the underlying operating system
is usually something like opensuse (a linux distro) or pcbsd or desktopbsd
(which are freebsd distros). all i need from the OS is to support KDE well,
patch itself from a vendor mothership often, do suspend/resume and wire
So the overwhelming question for me is why? Is it simply the fact
that the native *nix underpinnings are where most users (within the
aforementioned demographic) spend most of their time anyway?
That's what did it for me - repeated attempts to get FreeBSD to run
stable on the Inspiron I
On Mar 9, 2008, at 3:21 PM, David Conrad wrote:
Hi,
On Mar 8, 2008, at 2:40 PM, William Norton wrote:
I was quite surprised to see the large number of Mac laptops at
NANOG 42. I didn't do a formal count but it seemed like about
1/4 to 1/3 of the laptops in use were Macs.
...You know,
i am moving to a macbook pro, or trying to, from a freebsd/winxp. but
why did they have to 'add value' by mucking with freebsd and breaking my
fingers? and whoever thought the mac screen was good never used my
alienware 1920x1024.
at the ipv4 econ meet on tasman last week, macs were in extreme
Hi,
On Mar 8, 2008, at 2:40 PM, William Norton wrote:
I was quite surprised to see the large number of Mac laptops at
NANOG 42. I didn't do a formal count but it seemed like about 1/4
to 1/3 of the laptops in use were Macs.
...You know, now that you mention it, I was also quite impressed
On Saturday 08 March 2008, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress
> and egress)? This of course is dependent on the type of
> customer, so lets assume we're talking about an average
> residential customer.
We supply to mid-to-small ISP's mostly, and sizeab
I was quite surprised to see the large number of Mac laptops at
NANOG 42. I didn't do a formal count but it seemed like about 1/4
to 1/3 of the laptops in use were Macs.
...You know, now that you mention it, I was also quite impressed with
how many macbook pros there were in room as we
Dave Pooser wrote:
Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,
[raises hand...]
and about a hundred users who wouldn't know SSH from PCP; I think that's
probably a slightly skewed sample considering I'm a Mac geek who hangs
around with Mac geeks, and I'd gues
s the port of
choice for all the undesired apps.
Frank
-Original Message-
From: Justin Shore [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 08, 2008 12:28 PM
To: [EMAIL PROTECTED]
Cc: 'Mark Foster'; Dave Pooser; nanog@merit.edu
Subject: Re: Customer-facing ACLs
It varies wide
It varies widely. I see some extremely slow scans (1 SYN every 2-5
minutes). This is what someone on the SANS ISC page mentioned I believe.
I've also seen scans last for up to 10 minutes. The consistency of the
speeds made me think that perhaps the scanning computer was on a slow link.
T
Mark Foster wrote:
Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of
a concern? I can only assume it's to stop clients exploited boxen being
used to anonymise further telnet/ssh attempts - but have to admit this
discussion is the first i've heard of it being done 'en ma
CTED]
Cc: 'Mark Foster'; Dave Pooser; nanog@merit.edu
Subject: Re: Customer-facing ACLs
Frank Bulk wrote:
> The last few spam incidents I measured an outflow of about 2 messages per
> second. Does anyone know how aggressive Telnet and SSH scanning is? Even
> if it was greater,
On Sat, Mar 08, 2008, Mark Foster wrote:
>
> To me, at least half the users likely to be running either Linux or Mac
> are going to be the same users who're going to request they be allowed
> outbound SSH is the blocking of outbound SSH considered to be
> sufficiently useful that we're ad
> I can understand the logic of dropping the port, but theres some
> additional thought involved when looking at Port 22 - maybe i'm not
> well-read enough, but the bots I've seen that are doing SSH scans, etc,
> are not usually on Windows systems. I can figure them working on Linux,
> MacOS syste
On Sat, 8 Mar 2008, Dave Pooser wrote:
Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
concern? I can only assume it's to stop clients exploited boxen being used
to anonymise further telnet/ssh attempts - but have to admit this
discussion is the first i've heard of
> Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
> concern? I can only assume it's to stop clients exploited boxen being used
> to anonymise further telnet/ssh attempts - but have to admit this
> discussion is the first i've heard of it being done 'en masse'.
On one tes
it
a threshold.
I don't even bother to log telnet attempts anymore so I can't say much
about that.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Foster
Sent: Friday, March 07, 2008 10:02 PM
To: Dave Pooser
Cc: nanog@merit.ed
ginal Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Foster
Sent: Friday, March 07, 2008 10:02 PM
To: Dave Pooser
Cc: nanog@merit.edu
Subject: Re: Customer-facing ACLs
> Blocking port 25 outbound for dynamic users until they specifically
request
> it be unbl
Dave Pooser wrote:
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
also people who do real wor
Blocking port 25 outbound for dynamic users until they specifically request
it be unblocked seems to me to meet the "no undue burden" test; so would
port 22 and 23. Beyond that, I'd probably be hesitant until I either started
getting a significant number of abuse reports about a certain flavor o
> Just straight up blocking outbound ports (with the debatable exception of
> port 25) seems heavy handed and too slanted toward admin convenience over
> customer satisfaction. It's a slippery slope because unlike with spam,
> people who are affected by brute force attacks have some degree of
> co
On Fri, Mar 07, 2008, Justin Shore wrote:
>
> Scott Weeks wrote:
> >We need to take this off-line. All long timers are groaning, rolling
> >their eyes and putting this in their kill file.
>
> Are the long-timers groaning and ignoring this thread? I certainly hope
> not. It's threads like th
On Fri, 7 Mar 2008, Dave Pooser wrote:
>
> > Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting
> > slippery!
>
> Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
> are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
> 23 too;
Scott Weeks wrote:
We need to take this off-line. All long timers are groaning, rolling their
eyes and putting this in their kill file.
Are the long-timers groaning and ignoring this thread? I certainly hope
not. It's threads like these that need the benefit of their experience
the most.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- "Scott Weeks" <[EMAIL PROTECTED]> wrote:
>We need to take this off-line. All long timers are groaning, rolling
>their eyes and putting this in their kill file.
>
>Try convincing your product managers to create a new product just to
>appease '
--- [EMAIL PROTECTED] wrote:
That's the problem isn't it? Who decides what can and cant go through. I think
the tier approach is better, a basic user account where everything is blocked
and a Sysadmin type account where everything is open. If the price is different
enough then only people wh
> Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think it's used about as rarely by "normal" customers a
hose extra ports will actually
pay for it.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Weeks
Sent: Friday, March 07, 2008 5:57 PM
To: nanog@merit.edu
Subject: Re: Customer-facing ACLs
--- [EMAIL PROTECTED] wrote:
> To me there is no questi
--- [EMAIL PROTECTED] wrote:
> To me there is no question of whether or not you filter traffic for
> residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be an un
> To me there is no question of whether or not you filter traffic for
> residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be an undue burden on users, and would h
Scott Weeks wrote:
fire + gasoline = religious argument on this issue that we've had *many* times
in the past... ;-)
I wore my flame-retardent tidy whiteys today though so I'm prepared. :-)
I can understand the problem from both camps. As a tech-savvy user I
don't want my provider to fil
2:44 PM
To: Justin M. Streiner
Cc: NANOG
Subject: Re: Customer-facing ACLs
Justin M. Streiner wrote:
> I do recall weighing the merits of extending that to drop outbound SMTP
> to exerything except our mail farm, but it wasn't deployed because there
> was a geat deal a fear of c
---
> What kind of customer-facing filtering do you do (ingress and
> egress)? This of course is dependent on the type of customer, so
> lets assume we're talking about an average residential customer.
---
>From a por
On Mar 7, 2008, at 12:55 PM, Justin Shore wrote:
This question will probably get lost in the Friday afternoon lull
but we'll give it a try anyway.
What kind of customer-facing filtering do you do (ingress and
egress)? This of course is dependent on the type of customer, so
lets assume
: Customer-facing ACLs
[EMAIL PROTECTED] wrote:
> On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
>
>> I'm assuming everyone uses uRPF at all their edges already so that
>> eliminates the need for specific ACEs with ingress/egress network
>> verification checks.
&g
Justin M. Streiner wrote:
I do recall weighing the merits of extending that to drop outbound SMTP
to exerything except our mail farm, but it wasn't deployed because there
was a geat deal a fear of customer backlash and that it would drive more
calls into the call center.
This seems to be ver
On Fri, Mar 07, 2008 at 01:55:05PM -0600, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress and egress)?
> This of course is dependent on the type of customer, so lets assume
> we're talking about an average residential customer.
...
As part of a recent measurement
I would *love* to be able to run uRPF on all of our edge devices, but we
use Cisco ME3400s, 3550s, 3560s and they don't support it. :-(
[EMAIL PROTECTED] wrote:
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
I'm assuming everyone uses uRPF at all their edges already so that
elim
[EMAIL PROTECTED] wrote:
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
You're new here, aren't you? :)
Hopefully optimistic. Do
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
> I'm assuming everyone uses uRPF at all their edges already so that
> eliminates the need for specific ACEs with ingress/egress network
> verification checks.
You're new here, aren't you? :)
pgpck6mspgZyp.pgp
Description: PGP signature
On Fri, 7 Mar 2008, Justin Shore wrote:
Do you block any customer-facing egress traffic at all? What about ingress?
SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?
What ICMP types do you allow or disallow?
In my previous life, I worked at a mid-sized ISP. A common practice for
br
77 matches
Mail list logo
