Candid, The guy said: Having a block on port 25/tcp, 137-139/udp and some other magic virusports is acceptable on end-user IP's
WE DO and many ISPs block Netbios ports to protect customers. But this is totally ok. We block in LNS:
access-list 130 deny tcp any any eq smtp access-list 130 permit ip any any access-list 131 deny tcp any any range 135 139 access-list 131 deny udp any any range 135 netbios-ss access-list 131 deny tcp any any eq 445 access-list 131 deny tcp any any eq 593 access-list 131 deny tcp any any eq 12345 access-list 131 permit ip any any
Candid Aeby <candid.aeby@tele 2.com> To swinog@swinog.ch Sent by: cc swinog-bounces@li sts.swinog.ch Subject Re: [swinog] does Econophone block port25 04.04.2007 13:45
Please respond to swinog@swinog.ch
Hi
we are blocking Port 25 from customer to Internet. That's it. No blocking of other relevant Ports ( 587, 465, ...).
We will not change the policy, at least not now or soon. Even there are some good solutions. As i mentioned before, not my and not a local decision.
By the way we are no business provider, we are in the residential (mass) market. So no special solution for 1 customer.
Best Regards
Candid
Jeroen Massar <jeroen@unfix.org > To swinog@swinog.ch Sent by: cc swinog-bounces@li sts.swinog.ch Subject Re: [swinog] does Econophone block port25 04.04.2007 09:42
Please respond to swinog@swinog.ch
Candid Aeby wrote:
Hi
first this is no local decision. We never liked it. I know it is
unpopular
and i would prefer a better solution. Since Monday Port 25 is blocked for Dial-Up and ADSL connections.
Is that outbound from $customer -> $internet, or is that also for inbound $internet -> $customer?
Having a block on port 25/tcp, 137-139/udp and some other magic virusports is acceptable on end-user IP's. BUT as long as the user of that line has the option to easily turn this off. Eg using a webinterface where they can login using their user/pass and then enable it again, that is disable the block. If that is not possible, then when a user moans about not getting "Internet connectivity" they are quite right.
Users who are not the typical techy, can always use 587 as you indicated and should, in general, keep the block on.
To avoid problems there, make a simple policy: if found spreading a virus/spamming and having disabled the blockage: no Internet for a week. Or a similar measure that can of course be lifted after paying a fine.
Greets, Jeroen
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
<< Attachment removed : signature.asc >> _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
<< Attachment removed : ATTSEJXT >>