On Sun, 17 Apr 2005, J.D. Falk wrote:
>
> On 04/17/05, John Kristoff <[EMAIL PROTECTED]> wrote:
>
> > > deny tcp any any range 135 139
> > > deny udp any any range 135 netbios-ss
> > > deny tcp any any eq 445
> > > deny udp any any eq 1026
> >
> > Similar as before, you are going to be removing some legitimate
> > traffic.
>
> Is this really true? All of the ports listed above are used by
> LAN protocols that were never intended to communicate directly
> across backbone networks -- that's why VPNs were invented.
and people use them all the time across the real Internet :( It's dumb, we
can argue about it's 'correctness' or 'localness' or whatever until we are
blue in the face, but people still do it.
>
> Or, is your argument that some system somewhere MIGHT ignore the
> offical port numbers allocated by IANA and try to pass some
> other kind of traffic there instead?
>
Certainly, ssh over tcp/80 is common, other protocols can become agile as
well... people SHOULD use the IANA port numbers, in practice they don't
always abide by them :(
> > Perhaps set the rules to permit and log first, let it run for awhile
> > and then see what you'll be missing.
>
> Yep, this is always good advice. But don't give up just because
> of some naysayers rolling out the usual FUD. In the real world,
> security for the many outweighs the extremely unlikely edge cases
> of the few.
>
Or... use a system where your users can 'subscribe' to a 'better Internet'
(define 'better Internet' as you like)