[nSLUG] Off Topic: ISP filtering

M Taylor mctylr at privacy.nb.ca
Sat Mar 13 12:19:20 AST 2004


On Sat, Mar 13, 2004 at 01:55:41AM -0400, bdavidso at supercity.ns.ca wrote:
> 
> As you may know, I am the admin for a small local ISP (dialup).  I'm also
> a Linux user, and generally have always had the feeling that if I buy
> Internet access, then I want Internet access, dammit.  No filtering, NAT,
> 
> However, the environment out there has become more and more nasty, and is
> causing more and more problems for naive users.  I can't police how users
> configure and operate their machines, but I have to help them fix them

I would strongly recommend a by default put your customers behind a
simple port filtering firewall. Filter tons of incoming ports (from
smtp,ftp,www,dns,dhcps to snmp and netbios) and a few outgoing (smtp and
windows networking (135-139,445) and maybe rpc). Actual I'm tempted to
strongly suggest that users cannot opt-out of the outgoing filters...

Give users a free opt-out of the filtering with the CLEAR understanding
that any annoyance from an opt-out'ed machine is billable ($50-75/h) at the 
FIRST instance of hassle/trouble of a virus/worm/spam-relay clean-up.

This should keep 95% of your customers happy, and safer, by default while
giving that noisy 5% the freedom if they are willing to truely bare the
cost burden of cleaning up their mess if they don't keep their machine 
secure. I see it as a net gain for most of your users (less impact if
there are few infected machines as well as less chance of becoming
infected themselves), and those that are experienced/cocky enough to
ride the Internet in the 'nude' can do so. 

I have seen too many dial-up users, including a computer programmer and
linux user, that skip downloading security patches via dial-up since it is 
so slow given the size of the patches these days and they have a false
sense of security because of their slow connection and somewhat limited
amount of time they are connected. Dial-up machines get just as infected
by worms, I don't of any worms that skip dial-up machines, and since they
all attack random IP addresses, the user is still at risk. So I expect
it would be a bonus for nearly 95% of your users.

Sorry for breaking into a rant there...

That's my 2 cents. 



More information about the nSLUG mailing list