[nSLUG] Off Topic: ISP filtering

bdavidso at supercity.ns.ca bdavidso at supercity.ns.ca
Sat Mar 13 01:55:41 AST 2004


There was a discussion here recently about Eastlink's policy of blocking
TCP port 25, ingress and egress, messing up some people's local mail
servers.  I can go back and forth on the benefits and problems of that
decision, but that isn't exactly what I want to discuss here.

As you may know, I am the admin for a small local ISP (dialup).  I'm also
a Linux user, and generally have always had the feeling that if I buy
Internet access, then I want Internet access, dammit.  No filtering, NAT,
or other crap in the way.  And that is the way we operate -- when our
users dial in, they get a live Class C address on the Internet.  I have no
control over our immediate upstream router (it's "managed" by our
provider), and I haven't poked at it with nmap and such, but I think it is
pretty much wide open.

However, the environment out there has become more and more nasty, and is
causing more and more problems for naive users.  I can't police how users
configure and operate their machines, but I have to help them fix them
when there is a problem, which eats into my day when I could be doing
something useful or at least wasting my time in a manner of my choosing.
When users have problems caused by their own stup^H^H^H^Hinexperience I
don't mind saying "Bring the machine into the office and I'll fix it at
our usual service rate", remove BonziBuddy and assorted spyware, remove
viruses, install Windows updates, install AVG anti-virus, generally tune
things up, and charge them a fraction of what my time is worth but enough
that they will be more careful next time.

However, users are beginning to experience problems that really are not
their fault.  Here is an example, by no means unique:

One of my co-workers bought a brand new computer for his son.  He
installed WinXP, configured it to dial into our service, connected, and
clicked on Windows Update.  It did the usual, downloaded the latest
Windows Update software, scanned the machine for available updates, and
informed hime that he needed about 18-20 critical updates amounting to 30
or so MB.  Realizing how long that would take over 56K dialup, he said
"Screw it, I'll take it into the office in the morning and use our DSL
connection to get the updates."  So he was online maybe, what... ten

Of course, our office network is protected by a Linux box running iptables
(which is also my desktop box, an AMD K6/2-500, and works great).  So he
brought the machine into the office and connected it to our network, but
when he was trying to install the windows updates some of them didn't
install.  Then he installed Norton Antivirus but it wouldn't start.  I had
a look and quickly determined that the machine was infected with a worm,
which he must have got while connected to our dial-up network.  It took a
while to figure out what the worm was and figure out how to fix it
(Symantec said "Download the latest virus definitions and scan" but since
the scanner wouldn't run that was impossible.  Plus regedit wouldn't
run.).  So we wasted a couple of hours eradicating the damn thing from the

And this isn't the first time.  I was recently working on a customer's
machine that was infected with a worm.  I got rid of the worm, then dialed
up to download windows updates, but before I could download even one
update the computer was re-infected.

So... Here's my dilemma.  I'm thinking about the benefits of putting our
dialup clients behind a firewall, not unlike what I use in our office.  I
know some of you are probably saying "What?!  Your customers are not
firewalled already?"  Well, see my second para above.  Besides, I didn't
design this network, and I don't blame the guy who did.  A few short years
ago the stuff I mentioned above was unheard of, but now it is common.
Unprotected machines are being scanned, probed, poked with a stick, and
generally infected at an alarming rate.  Users don't install vendor
updates, be it for their OS or their virus scanner.  Most don't even know
what spyware is, although a large percentage of problems I fix are related
to spyware fscking the fragile windows network stack.

Of course, filtering our network will not eliminate spyware or viruses.
We already do a good job eliminating email-borne viruses unless the
clients expose themselves to alternate infection vectors (hotmail etc.,
p2p stuff, IRC), and we still generally catch the viruses they send.
(In fact I have one user whose machine is infected with Klez -- I know it,
and he knows it because I keep telling him, and I know he got my emails
because they aren't in his mailbox, and I forwarded him dozens of "Virus
Alert" messages that I get when our mail server intercepts viruse that his
machine is sending, but he won't answer me or do anything about it.  It
may be time to block all his email access until he calls the office...)

Sorry this is so long, but I wanted to give you all the background.  You
people tend to be hard-core give-me-internet-or-give-me-death types, and I
am looking for some feedback. Why should I NOT do this?  Why SHOULD I do
this?  If I do it, what should I look for / worry about?  What inbound
ports should I leave open?  What outbound ports should I block?  Imagine
my typical client as a penurious little old lady who sends a lot of email
daily to her family, friends, and church, and gets email daily from the
above plus some mailing lists and commercial sites, and who surfs a little
porn, and who has a mild gambling habit, and does online banking, and uses
those infernal chat programs like MSN, Yahoo, etc., and uploads stuff to
her website via ftp, and, umm, you get the picture.  "General use"  Would
this be a Good Thing (sorry, Martha)?  Would this be a Bad Thing?  Can it
be essentialy transparent to the users unless they are running some
unusual or obscure VPN-type thingy?

All opinions welcome, though this isn't actually a troll as such.

Bill Davidson
bdavidso at supercity.ns.ca

More information about the nSLUG mailing list