Re: ACS "tech support"

The filtering that ACS has is to restrictive for me. GCI gives you an
Internet connection to do with as you pleas. If I want I can put up my
own mail server. You can't do that on ACS.

There also seems to be filtering of SSH. I tried to connect to a clients
server and wasn't able to connect. I'm on GCI and they are on ACS.

I've also had to change my email settings. I had Internet though Custom
CPU which is just reselling ACS DSL. I was unable to send email through
my mail server on the net. I had to use Custom CPU's mail server.

For most users the filters that ACS has in place won't matter. They just
want to surf the net and check email. However, filtering of any kind
could block things that clients want access to.

In my case I need to port scan and connect through SSH. I can't seem to
do that on ACS. This would indicate to me that a lot more is being
filtered then what you are suggesting or something is configured wrong.
I think most of the blame should go to ACS but the Internet's a big
place. It could be getting filtered before I even get to the ACS
network.

SSH is on port 22 hint, hint...

Keeping the ACS network secure should not effect what clients can do on
the Internet. If ACS wants to keep their servers safe they should put
them behind a firewall and leave the rest of the network wide open. If
filtering the Internet is something they feel they need to do it should
be stated in the service plan.

On Mon, 2005-03-21 at 15:07 -0900, Royce Williams wrote:
> On Mon, 21 Mar 2005, damien hull wrote:
>
> > ACS filters their traffic and blocks a lot of things. I tried port
> > scanning a clients network and got back a lot of "filtered" replies. The
> > client was on GCI so I called tech support and they told me they don't
> > filter anything. That's when I realized the problem was ACS.
> >
> > I'm on GCI now.
>
> Clearly, I do not speak for my employer, but I figured I'd take the
> bait here as an individual.
>
> First, the filtering that Damien's describing and the IP block that
> Joshua is experiencing are of different kinds: the former is
> network-based and probably at our borders, and the latter is
> application-based and solely an MTA configuration.
>
> Second, Damien -- if you were just doing the port scan to see what was
> running, then yes, unfortunately, you will not be able to probe your
> client's network remotely in order to determine whether or not they
> have anything listening on those ports. This is a side-effect of the
> filtering, and there's not a lot that can be done to work around it
> other than initiating the port scan from somewhere topologically
> closer to your client.
>
> If, however, your client actually has/had some service running on some
> port that isn't widely exploited and that's perfectly safe running
> over the public Internet, I'd be very interested in hearing the
> specifics about it. While I'm not in charge of our network-level
> filtering, I can certainly mention any problems to those who are.
>
> As I understand it, ACS is only blocking the 135-139 known Microsoft
> stuff, MS SQL on port 1433, and a couple of other widely-exploited
> ports -- all stuff that people stop doing over the public Internet
> once they understand the implications.
>
> In other words, if your scan wasn't just for general scanning
> purposes, and your client is/was doing any of those things over the
> public Internet, you probably should have advised them to stop doing
> it, IMHO. Again, this only applies if your scan wasn't just generic.
>
> With the rate of infection out there, ACS has had to start filtering
> on the major attack-vector ports out of sheer self-defense. Frankly,
> if GCI isn't doing this kind of forwarding, they must get a lot of
> complaints about spam originating from systems infected in their
> customer base. If you follow what the big ISPs are having to do to
> reduce how much spam they're spewing, ACS's blocking of NetBIOS, etc.
> is peanuts compared to what some have had to do.
>
> -royce
>
> --
> Royce D. Williams - IP Engineering, ACS
> personal: [first]@alaska.net - PGP: 3FC087DB/1776A531
> work: [first.last]@acsalaska.net - http://www.tycho.org/royce/
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 21 17:49:42 2005