Kenneth Porter wrote:
Two rules then: Allow FTP SYN's, and block all other SYN's.
You cannot detect "FTP SYNs" because in active-mode FTP, the FTP client is free to choose an ephemeral port for the reverse connection. I don't think ISPs should prevent people from running "servers", because that's far too wide a concept. I would get most annoyed if my ISP blocked my OpenVPN traffic, for example, even though there's an SSH "server" running over the VPN traffic. (I'm lucky enough to live in Canada, where you can generally find a decent ISP that gives out reasonably-priced static addresses and lets clueful users do what they need.) ISPs should do the following: - Block outbound port 25 connections except to their own mail servers. - Insist on SMTP AUTH for outbound mail. Perhaps then even block outbound port 25 completely and force port 587. - Monitor traffic from customer equipment to detect the telltale signs of virus infection or spamming. That's all. Blocking ALL servers is too draconian. Regards, David. _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
