RE: [fw-wiz] ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall Rules

From: Paul D. Robertson (
Date: 09/02/04

  • Next message: Melson, Paul: "RE: [fw-wiz] Linux Firewall Distributions"
    To: Jonathan Rickman <>
    Date: Thu, 2 Sep 2004 11:36:20 -0400 (EDT)

    On Thu, 2 Sep 2004, Jonathan Rickman wrote:

    > By far, the best compromise is to filter at the customer end point. At least

    Some filtering there is "best," but endpoint compromise and out of zone
    control don't make it always the "best" place...

    > one fairly large ISP now ships a broadband gateway with the firewall

    Who? Which gateway? Configured with what policy?

    > preconfigured. The customer is free to alter the filters if so inclined, but
    > we all know that the default configuration will remain in place 99.9% of the
    > time. There is a risk of tech support calls with this just like any other
    > setup. However, this policy seems to me to be the most equitable across the

    That pretty much rocks.

    > board. The trick is getting the proper ruleset in place. For instance, the
    > aforementioned ISP did not enable outbound TCP 1494, which caused a problem
    > for telecommuters using Citrix without going through CSG. With the proper
    > research, this would have been avoidable. They also failed to put a workable
    > management system in place to remedy this problem. Both mistakes you should
    > take note of.

    Heck, I'm floored that someone's doing egress filtering by default! I
    would like to know who, their praises should be sung from the highest

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Melson, Paul: "RE: [fw-wiz] Linux Firewall Distributions"

    Relevant Pages