Re: [fw-wiz] The home user problem returns

From: David Lang (
Date: 09/14/05

  • Next message: David Lang: "RE: [fw-wiz] The home user problem returns"
    To: Mason Schmitt <>
    Date: Tue, 13 Sep 2005 20:40:43 -0700 (PDT)

    On Tue, 13 Sep 2005, Mason Schmitt wrote:

    >> beside ingress and egress filtering, how much might ISP's suffer for
    >> correcting some of the windows network protocol errors by not passing
    >> ports 135-139, 445 and 5000 etc across perimiters? Or even allowing
    >> them to braodcast witin the ISP's realm? Certainly would work to neuter
    >> the M$ issues to a low noise level would it not?
    > This is exactly the kind of ingress and egress filtering I'm talking
    > about. We've avoided, by having these filters in place, some fairly
    > nasty worm epidemics that wreaked havoc at other ISPs. None of the
    > traffic typically associated with those ports has any business
    > whatsoever moving beyond the confines of the home user's local network
    > or any LAN for that matter.
    > Again, for most networks, this is absolutely the wrong way to approach
    > the problem, but for an ISP, those filters and anti spoofing filters
    > have taken a big chunk out of the low hanging fruit.

    there is a fundamental problem with the idea that the ISP should be
    responsible for protecting the end-user. namely real protection would mean
    that they only allow specific 'known good' things to work, but if you
    limit ALL users to just those existing known-good things you will block
    development of new things (both good and bad).

    having filtering like this as an option (even as a default option) is a
    good thing, but deciding that it should be the ONLY option and that I
    shouldn't be able to get an unfiltred connection if I want one is
    something VERY different.

    an unfiltered connection should cost less then a filtered one from a
    technical point of view, but I can see that this would just encourage
    everyone to get the unfiltered connection so I'm willing to pay the same
    rate as those who get filtered, what I'm not willing to do is have a
    $29/month cablemodem connection turn into a $89/month connection just
    becouse I don't want the filtering and therefor have to buy a 'business'
    version of the same service.

    David Lang

    There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
      -- C.A.R. Hoare
    firewall-wizards mailing list

  • Next message: David Lang: "RE: [fw-wiz] The home user problem returns"

    Relevant Pages

    • RE: FreeBSD router two DSL connections
      ... >> control how traffic goes OUT of your network. ... > filtering is simply wrong. ... el-cheapo DSL routers that are network address translators, ... 7206 VXR's now, any ISP under 10,000 customers can easily ...
    • Re: With all this SPAM
      ... should not become frustrated if you find no response from ... regarding guaranteed filtering of content. ... Did you just ignore spammers on the system you ... An ISP certainly knows the source of posts or can be ...
    • Re: KillFiles Needed
      ... and any ISP has to spare out routers, ... No backbones do any firewalling or filtering in the ... If film people would quit being so ... to record the movie off the HDTV which will introduce enough ...
    • Re: using wireless internet without security
      ... I know that using security (password or Mac-address filtering) is often ... Can virus spread across a wireless network between computers which are ... spreading to you from the internet right now. ...
    • Re: IP address spoofing
      ... Care to identify the ISP? ... If this is a home provider like Comcast, ATTBI, or SBC, messenger spam ... they don't want to get involved in filtering. ... >months with a routing instruction to send emails to my new email address. ...