[nSLUG] Re: Off Topic: ISP filtering

Mike mspencer at tallships.ca
Sun Mar 14 03:48:34 AST 2004

bdavidso at supercity.ns.ca wrote:

> I...generally have always had the feeling that if I buy Internet
> access, then I want Internet access, dammit.  No filtering, NAT, or
> other crap in the way.

Same here.

> However, the environment out there has become more and more nasty...

On my dialup, I see dozens, sometimes hundreds of probes per hour
evening and night. Some individual probers hammer away on one or
several ports hundreds of times.

Subsequently, M Taylor <mctylr at privacy.nb.ca> wrote:

mctylr> I would strongly recommend a by default put your customers
mctylr> behind a simple port filtering firewall....
mctylr> Give users a free opt-out of the filtering with the CLEAR
mctylr> understanding that any annoyance from an opt-out'ed machine is
mctylr> billable ($50-75/h) at the FIRST instance of hassle/trouble of
mctylr> a virus/worm/spam-relay clean-up.

Something like that.  No one in h{is,er} right mind is going to agree
to indemnify you against any costs you chose to allege in return for
"real internet".

I would suggest a "Safe Internet" service that blocks all incoming
connections except ftp data (associated with a user-initiated session)
and ICMP (mandated by RFC), all outgoing connections known to be
associated with malware and intrusion, possibly including port 25.
Subject to change, up to date details posted on yr website.  Free
fix(es) of infection at your discretion.

The "Real Internet" service would block nothing but be subject to
shut-off without notice if/when credible evidence of harmful activity
or wrongdoing is detected.  Burden for proof of corrective measures
taken to be on the user before re-instatement.  If the user is unable to
deal with the problem or clueless, then (s)he pays you to diagnose and

The problem I see with my own suggestion is how to make and implement
a liberal but still effective definition of "harmful activity or

Cases in point:

    I recently managed to make a valuable contact by telnet direct
    to an MX host on port 25 and doing hand protocol to send mail
    after ordinary mail bounced repeatedly.

    I occasionally ping one or more distant hosts to see if failure to
    raise a response from a desired IP address is general net failure
    or local to the desired destination.

    I occasionally fire up an ftp server so someone can grab some
    files from me  by appointment, then shut it down again.

    I occasionally portscan a remote machine that is hammering me with
    obvious intrusion probes when I think it may help me to alert an
    admin or LART a spammer.

Etc.  I'm sure y'all have other examples.  I would get into a snit if
my ISP shut me down because I do such things.

The "Herman Toong" <herman_toong at hotmail.com> added:

ht> Offer two services: One protected and one not. Figure out how to
ht> make it clear that even the protected version comes with promise
ht> that customers who do get infected are entitled to a free fix.

Did you mean "ONLY the protected version comes with promise"?

For me personally, it's easy:  I want a real connection to the net.  I
have Linux, iptables, visible modem blinkenlights and other stuff.

For an ISP with 98+% Windoes users, it's not easy.  But that's a cost
of making the net work, where everything is permitted that is not
explicitly forbidden.  It would all be easier if we had a nice, tidy
police state where everything is forbidden that is not explicitly
permitted.  Shudder.

- Mike

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^


More information about the nSLUG mailing list