[Dshield] Re: [Full-Disclosure] Port Blocking

Ed Truitt ed.truitt at etee2k.net
Fri Jun 27 19:01:47 GMT 2003


On Fri, 2003-06-27 at 12:09, Mrcorp wrote:
> I have been known for instigating, so here it goes...
> 
> What happened to the golden security rule of "Deny everything, except what is truley needed."  I
> mean most ISP's User Agreements state that you are not allowed to run web servers, email servers
> and etc.  Therefore, only port a few ports ike TCP 80, 445 and perhaps one or two more are really
> needed.
> 
> The second thought is, what if ISPs were like cable companies.  What if they only allowed specific
> ports (like channels) that they seem appropriate to their users???  
> 
> Mrcorp

#1 does like a good idea in general, EXCEPT that the ISP would have to
take care not to break software that was dependent on a particular
port.  For example, some software might well require Port 80 inbound to
be open in order to work (programs that use Web Services for
application-to-application transfer, for example).  I have found some
software (stamps.com, for example) to fail on my systems, due to
configuration of proxy servers and the like.  Take the proxy server out
of the look, and voila! it works again!  BTW, this is one reason that
Web Services uses Port 80 - it is more likely to be open through
firewalls!

#2 is an interesting thought, but a scary slippery slope.  On the "pro"
side, basic "end user" Internet access could be fairly cheap, so long as
you wanted the "basic" service.  If you wanted "premium" services (e.g.
the ability to run your own mail/web server, static IP address, etc.)
then you could pay extra.  One would have to be careful, lest the
companies take unfair advantage of their customers ("You want to run
Linux?  That'll be extra.  FreeBSD?  Ka-CHING!").

On the "scares the hell out of me" side, what if all the ISPs got
together, and decided to only offer the same menu?  What if NOBODY could
run their own Web or SMTP or LDAP server, or what if they HAD to run
only a certain OS? Such extreme restrictions are not uncommon in the US
- look at how CCRs (more commonly known as "deed restrictions") have
almost killed off the hobby of ham radio in certain areas, and are
specifically crafted to protect certain commercial interests ("cable
TV", for one).  Diversity is good: it provides us choice.

Also, what if they decided to use a common rating system/censorware to
block access to Web sites THEY deemed "unacceptable"?  What if this were
done at the Government's insistence?  This is already the case (in a
limited way) in some states in the US, and is a common practice in some
countries, so the door is already open. 

As to that "golden rule" you mentioned at the start, I implement it on
my own firewalls.  Unfortunately, because the "suckiness index" of the
firewalls built into most consumer-oriented routers is so durn high, I
have to implement it on each system.  More of a pain in the butt than a
single choke point at the router, but it works.  (yes, I know I can
implement a firewall/router on a cheap Linux '386 box, but I already
have my home segmented into a "server" (DMZ) and a "client" (NAT)
network - I don't want to get into sub-netting!)

-- 
---
Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."




More information about the list mailing list