Customer-facing ACLs

Long response with answers inline...

--- wrote:---------------------------

Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!

Depends on how you ask the questions.

How about: Should a statefull firewall be provided for casual broadband
dynamic Internet access connections by default? Users may change the
default settings of the stateful firewall as they choose.
   1. Unsolicited inbound (to user LAN) traffic

Whatever you decide, whether you know what the policies are or not, there
are always have a set of default network policies.

The question is do you explain to you customers just as carefully what
your default policy doesn't do, as well as what it does. Do you take
just as much time to carefully explain the risks and what may break to your customers of allowing that traffic as you would of not allowing that traffic.

It seems to be very painful whatever decision is made.

We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and "virus" ports and have never had a complaint or a problem. We
do have a more sophisticated residential or large-biz customers ask, but
only once has our ACL been the source of a problem and it's only because the
OEM version of the software didn't implement communications the same way as
their branded version.