Justin Scott said:
Your comment about "exceptions for customers that prove they know how to lock down" is not based in reality, frankly. Have you ever tried to have Joe Sixpack call BigISP support to ask for an exception to a port block on his consumer-class connection with a dynamic IP? That's a wall that I would not be willing to ask my customers to climb over.
iiNet a reasonably sized Aussie ISP has a web page (specifially part of the 'My Account' page) where you can, with a simple check box, choose to have commonly abused ports blocked *for outgoing connections* or not. Last time I looked the ports blocked were: Port 25 Port 137 Port 138 Port 139 Port 445 How the back end works I don't know, but it is pretty seemless to the user, as I opted out of the block as soon as I connected. Their tech support is reasonably unintelligent at level 1, but even they were able to understand my problem and explain where the checkbox was so that within 35 seconds of taking the call my servers were open to the Internet in both directions. Regards, Matthew