[c-nsp] ISP POP Location - Blocking Ports - Advice

Jon Lewis jlewis at lewis.org
Mon Aug 2 22:54:29 EDT 2004


On Mon, 2 Aug 2004, Paul Stewart wrote:

> We have decided to start being more strict on what we permit our customers
> to send through out system as an ISP.  Basically I'd like to start blocking
> smtp traffic except to our mail servers from dynamic addresses.  Static IP
> customers will still be able to send smtp traffic.
>
> What I am wondering though is what ports are commonly blocked now on ISP's?
> Anyone care to share their lists?
>
> We are thinking of blocking port 25, 137, 138, 139, 445 at this point.  The
> reason is to cut down on the crap coming from virus infected customers.

I just started doing this at work for the same reasons.  I can't put in
the port 25 filter yet, but it's next.

Here's the initial filter I settled on:

        Ascend-Data-Filter = "ip in forward tcp est", \
        Ascend-Data-Filter = "ip in drop tcp dstport = 135", \
        Ascend-Data-Filter = "ip in drop tcp dstport = 137", \
        Ascend-Data-Filter = "ip in drop tcp dstport = 138", \
        Ascend-Data-Filter = "ip in drop tcp dstport = 139", \
        Ascend-Data-Filter = "ip in drop tcp dstport = 445", \
        Ascend-Data-Filter = "ip in drop udp dstport = 135", \
        Ascend-Data-Filter = "ip in drop udp dstport = 137", \
        Ascend-Data-Filter = "ip in drop udp dstport = 138", \
        Ascend-Data-Filter = "ip in drop udp dstport = 139", \
        Ascend-Data-Filter = "ip in drop udp dstport = 445", \
        Ascend-Data-Filter = "ip in forward", \
        Ascend-Data-Filter = "ip out forward tcp est", \
        Ascend-Data-Filter = "ip out drop tcp dstport = 135", \
        Ascend-Data-Filter = "ip out drop tcp dstport = 137", \
        Ascend-Data-Filter = "ip out drop tcp dstport = 138", \
        Ascend-Data-Filter = "ip out drop tcp dstport = 139", \
        Ascend-Data-Filter = "ip out drop tcp dstport = 445", \
        Ascend-Data-Filter = "ip out drop udp dstport = 135", \
        Ascend-Data-Filter = "ip out drop udp dstport = 137", \
        Ascend-Data-Filter = "ip out drop udp dstport = 138", \
        Ascend-Data-Filter = "ip out drop udp dstport = 139", \
        Ascend-Data-Filter = "ip out drop udp dstport = 445", \
        Ascend-Data-Filter = "ip out forward", \

Ignore the trailing \'s...they're a result of how this filter is being
applied in our radius config.

If you can do this at the POP router (rather than on the NAS via radius)
that's probably even better.  Doing it via radius though makes it easy to
have exceptions if some customer really needs to do windows networking
over the internet.

> Any thoughts would be most helpful... We are looking at putting access lists
> at each POP site  for now and go from there...

We did this without warning the customers (only a heads up to the support
call center) and I don't think anyone complained.  I was against it for
some time just because I don't think we should be filtering anything
unless we're forced to in order to keep the ciscos from crashing...but
that's what it's come down to with first nachi and now the latest few
worms.  I was also concerned about how our smaller stuff (as5200s) would
handle it, but it doesn't seem to be causing any trouble on them.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list