On 7 Mar 2008, at 23:57, Scott Weeks wrote:
Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting
slippery!
Oh, no, this one again.
*** The Internet Is Not The Web. ***
Could someone put that onto a t-shirt ?
If it becomes normal for home users to only have 80 and 443,
On Mar 18, 2008, at 3:58 PM, Andy Davidson wrote:
On 7 Mar 2008, at 23:57, Scott Weeks wrote:
Might as well do TCP 20, 21 and 23, too. Woah, that slope's
getting slippery!
Oh, no, this one again.
*** The Internet Is Not The Web. ***
Could someone put that onto a t-shirt ?
If it
On Tue, 18 Mar 2008, Marshall Eubanks wrote:
If it becomes normal for home users to only have 80 and 443, then how can I
innovate and design something that needs a new protocol ? What happens to
the new voice and video services for example ?
The DOD has already been faced with this (I know
On Tue, Mar 18, 2008, Jon Lewis wrote:
The solution, of course, is to hire consultants (SIBR if possible) to port
everything to port 80 !
That's been going on for years. Back when it was common for ISPs to run
squid servers and transparently proxy to them (probably around 2000), I
ran
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and virus ports and have never had a complaint or a problem. We
do have a more sophisticated residential or large-biz customers ask, but
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Weeks
Sent: Wednesday, March 12, 2008 6:39 PM
To: nanog@merit.edu
Subject: RE: Customer-facing ACLs
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and virus
Google for SMTP can still use their ISP's SMTP servers for
outbound
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ang
Kah Yik
Sent: Monday, March 10, 2008 7:40 PM
To: Andy Dills
Cc: nanog@merit.edu
Subject: Re: Customer-facing ACLs
Hi Andy
Justin Shore wrote:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
ha. I only wish that was true.
We do filter all customer ports for IPs we believe from them, but darn
few other
On Tue, Mar 11, 2008 at 2:27 AM, Jo Rhett [EMAIL PROTECTED] wrote:
Justin Shore wrote:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
ha. I only wish that was true.
We do
Apologies for the delay...
--- [EMAIL PROTECTED] wrote:
On Mon, 10 Mar 2008, Scott Weeks wrote:
The default policy is we allow eveything. It takes no explaining.
If you don't bother to explain to the same customers who you believe
couldn't figure out how to change the default settings,
--- [EMAIL PROTECTED] wrote:
uunet dialup has blocked port25 in both directions since 2002...
little to no complaints. (well, they may have received complaints
since I left, but... thank John StClair for the work behind that
filtering actually.)
-
I'd
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and virus ports and have never had a complaint or a problem. We
do have a more sophisticated residential or large-biz customers ask, but
I'd like to ask the same question of you that I just did to Chris.
How'd you implement that or has it been there since the network was new?
I would suggest a good resource is the MAAWG papers, and even though
you are stretched thin, consider attending a MAAWG meeting. MAAWG has
a lot of
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Weeks
Sent: Tuesday, March 11, 2008 9:35 PM
To: nanog@merit.edu
Subject: RE: Customer-facing ACLs
--- [EMAIL PROTECTED] wrote:
We have a two-dozen line long ACL applied to our CMTS
William Allen Simpson wrote:
Marshall Eubanks wrote:
I used to count the proportion of Mac laptops in the room (or, at
least, my row) to pass the time when I was bored.
I remember at the 1999 Washington IETF I saw exactly one, and I
could hear people whisper about it around me.
I
Dave Pooser wrote:
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think it's used about as rarely by normal customers as SSH is.
Depending on the ip space I find FTP brute force
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think it's used about as rarely by normal customers as SSH is.
Depending on the ip space I find FTP brute force attacks 10 times
Adrian Chadd wrote:
Does anyone have any handy links to actual raw data and papers about this?
I'm sure we've all got our own personal datapoints to support automated
network probes but I'd prefer to stuff something slightly more concrete
and official(!) into the Wiki.
SANS ISC might have
On Fri, 7 Mar 2008, Scott Weeks wrote:
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly
Long response with answers inline...
--- [EMAIL PROTECTED] wrote:---
Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!
Depends on how you ask the questions.
How about: Should a statefull firewall be provided for casual broadband
dynamic
On Mon, 10 Mar 2008, Scott Weeks wrote:
The hard part is I now always take over networks that have been in
operation a long time and enabling these policies can be very painful
after the fact. Establishing them when the network is new is a
different story.
Whatever you decide, whether you
-- [EMAIL PROTECTED] wrote: --
On Mon, 10 Mar 2008, Scott Weeks wrote:
The hard part is I now always take over networks that have been in
operation a long time and enabling these policies can be very painful
after the fact. Establishing them when the network is new is a
On Tue, 11 Mar 2008, Ang Kah Yik wrote:
Hi Justin (and all others on-list)
I understand your grounds for blocking outbound SMTP for your customers
(especially those on dynamic IP connections).
It probably will do good to block infected customers that are spewing spam all
over the world.
Hi Andy (and all who responded),
Thanks for the heads-up on the redirection on SMTP traffic. I've yet to
see an implementation of it but I agree that it's a possible solution.
As for the issue I raised previously, perhaps corporate users isn't a
good example but what about users of email
On Mon, 10 Mar 2008, Scott Weeks wrote:
The default policy is we allow eveything. It takes no explaining.
If you don't bother to explain to the same customers who you believe
couldn't figure out how to change the default settings, what the
risks and how to protect their computers on the
On Mon, Mar 10, 2008 at 7:58 PM, Ang Kah Yik [EMAIL PROTECTED] wrote:
Hi Justin (and all others on-list)
I understand your grounds for blocking outbound SMTP for your customers
(especially those on dynamic IP connections).
It probably will do good to block infected customers that are
I've attempted to summarise the replies I found useful in the Wiki:
http://nanog.cluepon.net/index.php/MailTopics#Customer-Facing_ACLs
My personal observations:
* More information about what networks are doing would be nice!
* More data points about probes/scans/etc would be nice!
* Filtering
Ang Kah Yik wrote:
However, considering the number of mobile workers out there who send
email via their laptops to corporate SMTP servers, won't blocking
outbound SMTP affect them?
After all, there are also those who frequently move from place to place
so they're going to have to keep
: Customer-facing ACLs
On Mon, 10 Mar 2008, Scott Weeks wrote:
The hard part is I now always take over networks that have been in
operation a long time and enabling these policies can be very painful
after the fact. Establishing them when the network is new is a
different story.
Whatever you decide
Those using Google for SMTP can still use their ISP's SMTP servers for
outbound
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ang
Kah Yik
Sent: Monday, March 10, 2008 7:40 PM
To: Andy Dills
Cc: nanog@merit.edu
Subject: Re: Customer-facing
Hi,
On Mar 8, 2008, at 2:40 PM, William Norton wrote:
I was quite surprised to see the large number of Mac laptops at
NANOG 42. I didn't do a formal count but it seemed like about 1/4
to 1/3 of the laptops in use were Macs.
...You know, now that you mention it, I was also quite impressed
i am moving to a macbook pro, or trying to, from a freebsd/winxp. but
why did they have to 'add value' by mucking with freebsd and breaking my
fingers? and whoever thought the mac screen was good never used my
alienware 1920x1024.
at the ipv4 econ meet on tasman last week, macs were in extreme
On Mar 9, 2008, at 3:21 PM, David Conrad wrote:
Hi,
On Mar 8, 2008, at 2:40 PM, William Norton wrote:
I was quite surprised to see the large number of Mac laptops at
NANOG 42. I didn't do a formal count but it seemed like about
1/4 to 1/3 of the laptops in use were Macs.
...You know,
So the overwhelming question for me is why? Is it simply the fact
that the native *nix underpinnings are where most users (within the
aforementioned demographic) spend most of their time anyway?
That's what did it for me - repeated attempts to get FreeBSD to run
stable on the Inspiron I
my laptop, and both my desktops, run KDE. the underlying operating system
is usually something like opensuse (a linux distro) or pcbsd or desktopbsd
(which are freebsd distros). all i need from the OS is to support KDE well,
patch itself from a vendor mothership often, do suspend/resume and
On 3/9/08, Jason Lixfeld [EMAIL PROTECTED] wrote:
So the overwhelming question for me is why? Is it simply the fact
that the native *nix underpinnings are where most users (within the
aforementioned demographic) spend most of their time anyway?
That's what did it for me - repeated
Dave Pooser wrote:
I can understand the logic of dropping the port, but theres some
additional thought involved when looking at Port 22 - maybe i'm not
well-read enough, but the bots I've seen that are doing SSH scans, etc,
are not usually on Windows systems. I can figure them working on Linux,
Macbook Pro (all of IANA (with one recent exception) use Macs of one form
or another).
All of PCH uses MacBook Pros. Except Gaurab, who uses a MacBook Air. :-)
In the good ole days it seemed like 99% were PCs maybe a couple were
reinstalled with some form of unix,
definitely agree with supermicro, freebsd, zfs for servers. it rocks!
and i lived through duo, hinote, viao, thinkpad, alienware, and now mac.
i keep the alienware because it has real graphics, 1920x1024, as
opposed to the mac.
on the alienware, i run winxp with cygwin as host, vmware, and
On Sun, 9 Mar 2008, Randy Bush wrote:
and i lived through duo, hinote, viao, thinkpad, alienware, and now mac.
i keep the alienware because it has real graphics, 1920x1024, as
opposed to the mac.
There was a guy from Amazon at the San Jose meeting who'd transplanted an
Marshall Eubanks wrote:
I used to count the proportion of Mac laptops in the room (or, at least,
my row) to pass the time when I was bored.
I remember
at the 1999 Washington IETF I saw exactly one, and I
could hear people whisper about it around me.
I used to attend with various
I can understand the logic of dropping the port, but theres some
additional thought involved when looking at Port 22 - maybe i'm not
well-read enough, but the bots I've seen that are doing SSH scans, etc,
are not usually on Windows systems. I can figure them working on Linux,
MacOS systems -
On Sat, Mar 08, 2008, Mark Foster wrote:
To me, at least half the users likely to be running either Linux or Mac
are going to be the same users who're going to request they be allowed
outbound SSH is the blocking of outbound SSH considered to be
sufficiently useful that we're
Foster'; Dave Pooser; nanog@merit.edu
Subject: Re: Customer-facing ACLs
Frank Bulk wrote:
The last few spam incidents I measured an outflow of about 2 messages per
second. Does anyone know how aggressive Telnet and SSH scanning is? Even
if it was greater, it's my guess there are many more hosts
Mark Foster wrote:
Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of
a concern? I can only assume it's to stop clients exploited boxen being
used to anonymise further telnet/ssh attempts - but have to admit this
discussion is the first i've heard of it being done 'en
It varies widely. I see some extremely slow scans (1 SYN every 2-5
minutes). This is what someone on the SANS ISC page mentioned I believe.
I've also seen scans last for up to 10 minutes. The consistency of the
speeds made me think that perhaps the scanning computer was on a slow link.
for all the undesired apps.
Frank
-Original Message-
From: Justin Shore [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 08, 2008 12:28 PM
To: [EMAIL PROTECTED]
Cc: 'Mark Foster'; Dave Pooser; nanog@merit.edu
Subject: Re: Customer-facing ACLs
It varies widely. I see some extremely slow
Dave Pooser wrote:
Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,
[raises hand...]
and about a hundred users who wouldn't know SSH from PCP; I think that's
probably a slightly skewed sample considering I'm a Mac geek who hangs
around with Mac geeks, and I'd
I was quite surprised to see the large number of Mac laptops at
NANOG 42. I didn't do a formal count but it seemed like about 1/4
to 1/3 of the laptops in use were Macs.
...You know, now that you mention it, I was also quite impressed with
how many macbook pros there were in room as
On Saturday 08 March 2008, Justin Shore wrote:
What kind of customer-facing filtering do you do (ingress
and egress)? This of course is dependent on the type of
customer, so lets assume we're talking about an average
residential customer.
We supply to mid-to-small ISP's mostly, and sizeable
On Fri, 7 Mar 2008, Justin Shore wrote:
Do you block any customer-facing egress traffic at all? What about ingress?
SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?
What ICMP types do you allow or disallow?
In my previous life, I worked at a mid-sized ISP. A common practice for
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
You're new here, aren't you? :)
pgpck6mspgZyp.pgp
Description: PGP signature
[EMAIL PROTECTED] wrote:
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
You're new here, aren't you? :)
Hopefully optimistic.
I would *love* to be able to run uRPF on all of our edge devices, but we
use Cisco ME3400s, 3550s, 3560s and they don't support it. :-(
[EMAIL PROTECTED] wrote:
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
I'm assuming everyone uses uRPF at all their edges already so that
On Fri, Mar 07, 2008 at 01:55:05PM -0600, Justin Shore wrote:
What kind of customer-facing filtering do you do (ingress and egress)?
This of course is dependent on the type of customer, so lets assume
we're talking about an average residential customer.
...
As part of a recent measurement
Justin M. Streiner wrote:
I do recall weighing the merits of extending that to drop outbound SMTP
to exerything except our mail farm, but it wasn't deployed because there
was a geat deal a fear of customer backlash and that it would drive more
calls into the call center.
This seems to be
: Customer-facing ACLs
[EMAIL PROTECTED] wrote:
On Fri, 07 Mar 2008 13:55:05 CST, Justin Shore said:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
You're new here, aren't you? :)
Hopefully
On Mar 7, 2008, at 12:55 PM, Justin Shore wrote:
This question will probably get lost in the Friday afternoon lull
but we'll give it a try anyway.
What kind of customer-facing filtering do you do (ingress and
egress)? This of course is dependent on the type of customer, so
lets
---
What kind of customer-facing filtering do you do (ingress and
egress)? This of course is dependent on the type of customer, so
lets assume we're talking about an average residential customer.
---
From a
. Streiner
Cc: NANOG
Subject: Re: Customer-facing ACLs
Justin M. Streiner wrote:
I do recall weighing the merits of extending that to drop outbound SMTP
to exerything except our mail farm, but it wasn't deployed because there
was a geat deal a fear of customer backlash and that it would drive
Scott Weeks wrote:
fire + gasoline = religious argument on this issue that we've had *many* times
in the past... ;-)
I wore my flame-retardent tidy whiteys today though so I'm prepared. :-)
I can understand the problem from both camps. As a tech-savvy user I
don't want my provider to
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be an undue burden on users, and would
--- [EMAIL PROTECTED] wrote:
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be an
ports will actually
pay for it.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Weeks
Sent: Friday, March 07, 2008 5:57 PM
To: nanog@merit.edu
Subject: Re: Customer-facing ACLs
--- [EMAIL PROTECTED] wrote:
To me there is no question of whether
Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think it's used about as rarely by normal customers as
--- [EMAIL PROTECTED] wrote:
That's the problem isn't it? Who decides what can and cant go through. I think
the tier approach is better, a basic user account where everything is blocked
and a Sysadmin type account where everything is open. If the price is different
enough then only people
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Scott Weeks [EMAIL PROTECTED] wrote:
We need to take this off-line. All long timers are groaning, rolling
their eyes and putting this in their kill file.
Try convincing your product managers to create a new product just to
appease 'sysadmin
Scott Weeks wrote:
We need to take this off-line. All long timers are groaning, rolling their
eyes and putting this in their kill file.
Are the long-timers groaning and ignoring this thread? I certainly hope
not. It's threads like these that need the benefit of their experience
the
On Fri, 7 Mar 2008, Dave Pooser wrote:
Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting
slippery!
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think
On Fri, Mar 07, 2008, Justin Shore wrote:
Scott Weeks wrote:
We need to take this off-line. All long timers are groaning, rolling
their eyes and putting this in their kill file.
Are the long-timers groaning and ignoring this thread? I certainly hope
not. It's threads like these that
Just straight up blocking outbound ports (with the debatable exception of
port 25) seems heavy handed and too slanted toward admin convenience over
customer satisfaction. It's a slippery slope because unlike with spam,
people who are affected by brute force attacks have some degree of
Blocking port 25 outbound for dynamic users until they specifically request
it be unblocked seems to me to meet the no undue burden test; so would
port 22 and 23. Beyond that, I'd probably be hesitant until I either started
getting a significant number of abuse reports about a certain flavor of
Dave Pooser wrote:
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
also people who do real
Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Foster
Sent: Friday, March 07, 2008 10:02 PM
To: Dave Pooser
Cc: nanog@merit.edu
Subject: Re: Customer-facing ACLs
Blocking port 25 outbound for dynamic users until they specifically
request
it be unblocked seems
don't even bother to log telnet attempts anymore so I can't say much
about that.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Foster
Sent: Friday, March 07, 2008 10:02 PM
To: Dave Pooser
Cc: nanog@merit.edu
Subject: Re: Customer-facing
Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
concern? I can only assume it's to stop clients exploited boxen being used
to anonymise further telnet/ssh attempts - but have to admit this
discussion is the first i've heard of it being done 'en masse'.
On one test
On Sat, 8 Mar 2008, Dave Pooser wrote:
Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
concern? I can only assume it's to stop clients exploited boxen being used
to anonymise further telnet/ssh attempts - but have to admit this
discussion is the first i've heard
77 matches
Mail list logo
