I just get sick of providers blocking traffic...their job is to PASS
TRAFFIC. There must be a better solution, but laziness is getting the
better of us all, as usual.
We've had so many problems with "IP Providers" blocking various "IP
PROTOCOLS" that we've just ended up forcing all of our users to use VPN
tunnels for everything...except when the providers block that!!! Then
we're just screwed.
Anyways, just my two cents...
Please don't flame me, I'm just a lowly network guy....
- Erik
I used to agree with this. This was, of course, until I started
being the poor sap at the end of the huge spam floods or massive DDoS
attacks.
My upstream provider blocks the following ports, just as an example:
deny tcp any gt 1023 any eq 445
deny tcp any gt 1023 any eq 135
deny tcp any gt 1023 any eq 1025
deny tcp any gt 1023 any eq 2745
deny tcp any gt 1023 any eq 6129
deny tcp any gt 1023 any eq 9898 syn
deny tcp any gt 1023 any eq 5554 syn
deny tcp any gt 1023 any eq 1023 syn
deny tcp any gt 1023 any eq 139
deny tcp any gt 1023 any eq 1433
deny tcp any gt 1023 any eq 3127
deny tcp any gt 1023 any eq 5000
deny udp any gt 1023 any eq 1026
deny udp any gt 1023 any eq 1027
deny udp any gt 1023 any eq 1028
deny udp any gt 1023 any eq 1029
deny udp any gt 1023 any eq netbios-ns
deny udp any eq 4000 any gt 1023
deny udp any gt 1023 any eq 1434
permit ip any any
.. and they've reported to me (and I wonder if they're on the nanog
list that they're seeing more traffic hit this ACL than 'normal'
traffic passing. This may not hold true for /all/ network traffic
and I'm sure a lot of you will be seeing different traffic patterns
but it still shocked me. I've had a few people request services
which this ACL does filter and my reply is now always "use a VPN"
or "use a tunnel" or "buy ${SMALL_VPN_APPLIANCE}".
I don't like filtering. I liked the day when my ISPs mailserver would
break - so I'd just use another ISP for outbound mail until it was
fixed. Sob.
Adrian
<dons ISP hat>
We get sick of blocking ports.
We're little guys. About 10,000 users. Yesterday, we blocked 11025 connections either inbound to addresses that aren't mail servers, or outbound from addresses that aren't supposed to be mail servers.
This is a case of those that know a little too much praying on those that don't know quite enough with those that don't have enough of anything trying to stop it from happening.
I can't flame you. I fully agree with you. But until I can find a way to stop the Big Bad Wolf from huffing and puffing, the house will be made of bricks, and the door will be locked.
Bob Martin
Erik wrote: