None of the exceptions mentioned means you can't filter. We practice a policy of informed filtering. We filter by default, and if the customer requests unfiltered and understands the risks involved, we add an exception for their connection. By default, we filter all of the usual Windows ports, plus a few other known-sketchy ports and port combinations. -----Original Message----- From: Jason Slagle [mailto:raistlin@tacorp.net] Sent: Saturday, August 02, 2003 10:12 AM To: Bruce Pinsky Cc: Bob German; nanog@merit.edu Subject: Re: Blocking port 135? On Fri, 1 Aug 2003, Bruce Pinsky wrote:
And filtering 445 in the outbound direction to prevent attacks from the inside out is probably prudent as well.
Unfortunatly I've ran into at least 1 rather big example of a company using 445 for SSL since they wanted to put more then 1 cert on a machine. In this case it was a check clearing house, and a bank couldn't reach them because their ISP was filtering their T1. Jason -- Jason Slagle - CCNP - CCDP /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . X - NO HTML/RTF in e-mail . / \ - NO Word docs in e-mail .