So you do recommend we disable them all? Just not sure why big vendors like Alcatel and Comtrend would have them enabled by default if they do more harm than good? On Thu, Sep 21, 2017 at 11:02 PM, Ca By <cb.list6@gmail.com> wrote:
On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor@gmail.com> wrote:
Working with an ISP, we recently deployed Comtrend VDSL routers, and Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by Broadcom, and as such probably use the same underlying Broadcom operating system if I had to guess. They are different chipsets though as one is from VDSL2, and the other for GPON
By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs enabled:
FTP H323 IPSec IRC PPTP RTSP SIP TFTP
On the Acatel-Lucent (Nokia) ONT, the following came enabled by default from the factory:
FTP H323 IPSEC L2TP PPTP RTSP SIP TFTP
The only difference between these two is the Comtrend has an IRC as a ALG, and Acatel has L2TP as a protocol type. The other seven ALG protocols as the same.
My question is in general, is it a good idea to disable all Application Layer Gateways?
Yes. ALG are frequently too smart for their own good.
The only ALG I have had experience with was a SIP ALG. Almost all SIP providers strongly recommend you disable SIP ALGs as it does more harm and breaks more things than it does good, so we always disable SIP ALG. But what about the other protocols on these two? Do you think they should be enabled or disabled by default?
I am leaning towards disabling them all for our standard config.