Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users
Customer-facing ACLs 		 

Index | Next | Previous | View Flat


justin at justinshore

Mar 7, 2008, 11:55 AM


Views: 2348
Permalink
Customer-facing ACLs
This question will probably get lost in the Friday afternoon lull but
we'll give it a try anyway.

What kind of customer-facing filtering do you do (ingress and egress)?
This of course is dependent on the type of customer, so lets assume
we're talking about an average residential customer.

Do you block SYNs destined to your customers? Do you rate-limit SYNs
destined for your customers? SYNs on privileged ports?

Do you block any customer-facing egress traffic at all? What about
ingress? SMTP, NetBIOS, MS-SQL, common proxy ports (3128, 6588)?

What ICMP types do you allow or disallow?

I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.

Do you filter anything destined to your network infrastructure on your
customer-facing edges? Does anyone filter traffic destined to the PE
side of a PE-CE link from the outside world?

For those of you with cable networks, what all do you block with the CM?
We're considering blocking NetBIOS and DHCP server traffic (DHCP
server packets are already blocked at the CMTS but this would keep that
junk off our infrastructure).

For SMTP we permit access to our SMTP servers on tcp/25 to all our
broadband users. We also permit our customers with static IPs
(residential and business) to send SMTP without restrictions. After
those permits we explicitly block tcp/25. This has worked fairly well
for us. It sure makes it easy to find infected PCs with spambots. We
don't touch tcp/587.

For ICMP we permit echo, replies, packet-too-big, and time-exceeded.
Everything else gets dropped. Frags are explicitly dropped before any
permits.

We also block common proxy ports to and from the customers (the to
includes ports not always used for proxies). This has been very
effective in catching a number of bots that scanned for open Squid
proxies or script kiddie junk that used WinGate with the default settings.


Is there a BCP for customer-facing ACLs?

Justin

Subject User Time
Customer-facing ACLs justin at justinshore Mar 7, 2008, 11:55 AM
    Re: Customer-facing ACLs streiner at cluebyfour Mar 7, 2008, 12:08 PM
    Re: Customer-facing ACLs Valdis.Kletnieks at vt Mar 7, 2008, 12:12 PM
        Re: Customer-facing ACLs justin at justinshore Mar 7, 2008, 12:19 PM
            RE: Customer-facing ACLs tims at donet Mar 7, 2008, 12:48 PM
        Re: Customer-facing ACLs dan at beanfield Mar 7, 2008, 12:21 PM
    Re: Customer-facing ACLs rbeverly at rbeverly Mar 7, 2008, 12:35 PM
    Re: Customer-facing ACLs kgasso-lists at visp Mar 7, 2008, 12:43 PM
        RE: Customer-facing ACLs frnkblk at iname Mar 7, 2008, 2:17 PM
    Re: Customer-facing ACLs danny at tcb Mar 7, 2008, 12:55 PM
    Re: Customer-facing ACLs surfer at mauigateway Mar 7, 2008, 1:22 PM
        Re: Customer-facing ACLs justin at justinshore Mar 7, 2008, 2:54 PM
            Re: Customer-facing ACLs dave.nanog at alfordmedia Mar 7, 2008, 3:39 PM
                Re: Customer-facing ACLs joelja at bogus Mar 7, 2008, 8:12 PM
    Re: Customer-facing ACLs surfer at mauigateway Mar 7, 2008, 3:57 PM
        RE: Customer-facing ACLs Jason.Carpenter at citadelgroup Mar 7, 2008, 4:15 PM
        Re: Customer-facing ACLs dave.nanog at alfordmedia Mar 7, 2008, 4:49 PM
            Re: Customer-facing ACLs andy at xecu Mar 7, 2008, 6:54 PM
                Re: Customer-facing ACLs dave.nanog at alfordmedia Mar 7, 2008, 7:38 PM
                    Re: Customer-facing ACLs blakjak at blakjak Mar 7, 2008, 8:02 PM
            Re: Customer-facing ACLs cmarlatt at rxsec Mar 10, 2008, 7:10 AM
                Re: Customer-facing ACLs adrian at creative Mar 10, 2008, 7:53 AM
                    Re: Customer-facing ACLs justin at justinshore Mar 10, 2008, 8:23 AM
        Re: Customer-facing ACLs sean at donelan Mar 10, 2008, 9:57 AM
        Re: Customer-facing ACLs andy at nosignal Mar 18, 2008, 12:58 PM
            Re: Customer-facing ACLs tme at multicasttech Mar 18, 2008, 1:27 PM
    RE: Customer-facing ACLs surfer at mauigateway Mar 7, 2008, 5:21 PM
        Re: Customer-facing ACLs justin at justinshore Mar 7, 2008, 6:44 PM
            Re: Customer-facing ACLs adrian at creative Mar 7, 2008, 7:26 PM
    RE: Customer-facing ACLs fergdawg at netzero Mar 7, 2008, 6:22 PM
    RE: Customer-facing ACLs frnkblk at iname Mar 7, 2008, 9:29 PM
    Re: Customer-facing ACLs joelja at bogus Mar 7, 2008, 9:40 PM
        RE: Customer-facing ACLs frnkblk at iname Mar 8, 2008, 10:10 AM
    Re: Customer-facing ACLs dave.nanog at alfordmedia Mar 7, 2008, 10:59 PM
        Re: Customer-facing ACLs blakjak at blakjak Mar 7, 2008, 11:44 PM
    Re: Customer-facing ACLs dave.nanog at alfordmedia Mar 8, 2008, 12:10 AM
        Re: Customer-facing ACLs jay at west Mar 8, 2008, 12:58 PM
            Re: Customer-facing ACLs bill.norton at gmail Mar 8, 2008, 2:40 PM
        Re: Customer-facing ACLs justin at justinshore Mar 9, 2008, 3:56 PM
    Re: Customer-facing ACLs adrian at creative Mar 8, 2008, 12:28 AM
    Re: Customer-facing ACLs justin at justinshore Mar 8, 2008, 10:17 AM
    Re: Customer-facing ACLs justin at justinshore Mar 8, 2008, 10:27 AM
        RE: Customer-facing ACLs frnkblk at iname Mar 8, 2008, 11:54 AM
    Re: Customer-facing ACLs mtinka at globaltransit Mar 8, 2008, 7:24 PM
    Re: Customer-facing ACLs surfer at mauigateway Mar 10, 2008, 11:53 AM
        Re: Customer-facing ACLs sean at donelan Mar 10, 2008, 12:30 PM
    Re: Customer-facing ACLs surfer at mauigateway Mar 10, 2008, 1:05 PM
        Re: Customer-facing ACLs sean at donelan Mar 10, 2008, 6:52 PM
    Customer-facing ACLs mailinglist at bangky Mar 10, 2008, 4:58 PM
        Re: Customer-facing ACLs andy at xecu Mar 10, 2008, 5:12 PM
            Re: Customer-facing ACLs mailinglist at bangky Mar 10, 2008, 5:40 PM
                RE: Customer-facing ACLs frnkblk at iname Mar 10, 2008, 10:15 PM
        Re: Customer-facing ACLs morrowc.lists at gmail Mar 10, 2008, 7:33 PM
        Re: Customer-facing ACLs justin at justinshore Mar 10, 2008, 9:04 PM
    Customer-facing ACLs mack at exchange Mar 10, 2008, 5:49 PM
    Re: Customer-facing ACLs adrian at creative Mar 10, 2008, 9:18 PM
    RE: Customer-facing ACLs frnkblk at iname Mar 10, 2008, 10:10 PM
    Re: Customer-facing ACLs lists05 at equinephotoart Mar 10, 2008, 11:25 PM
    Re: Customer-facing ACLs jrhett at netconsonance Mar 10, 2008, 11:27 PM
        Re: Customer-facing ACLs christopher.morrow at gmail Mar 11, 2008, 11:41 AM
    Re: Customer-facing ACLs surfer at mauigateway Mar 11, 2008, 6:58 PM
    Re: Customer-facing ACLs surfer at mauigateway Mar 11, 2008, 7:23 PM
    RE: Customer-facing ACLs surfer at mauigateway Mar 11, 2008, 7:34 PM
        RE: Customer-facing ACLs sean at donelan Mar 11, 2008, 7:57 PM
        RE: Customer-facing ACLs frnkblk at iname Mar 11, 2008, 7:57 PM
    RE: Customer-facing ACLs surfer at mauigateway Mar 12, 2008, 4:39 PM
        RE: Customer-facing ACLs frnkblk at iname Mar 12, 2008, 7:22 PM
    Re: Customer-facing ACLs jlewis at lewis Mar 18, 2008, 8:47 PM
        Re: Customer-facing ACLs adrian at creative Mar 18, 2008, 9:46 PM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.