Re: ACS "tech support"

On Mon, 21 Mar 2005, damien hull wrote:

> The filtering that ACS has is to restrictive for me. GCI gives you an
> Internet connection to do with as you pleas. If I want I can put up my
> own mail server. You can't do that on ACS.

Again, speaking for myself only (this is always true, even if I don't
disclaim it as such):

May I ask you to clarify what you mean by "can't"?

I'm not aware of anything that currently prohibits inbound port 25
traffic to any of our space. IIRC (#include disclaimer.h), ACS
recommends that folks get a static or other business-grade
connectivity to run server stuff, but there's nothing that prevents
Joe Dynamic from doing low-volume SSH, SMTP, "Hey, hit my Gallery at
dyndns.example.net:8080," or something similar. ACS probably does not
guarantee anywhere that such things will always work (I don't know),
but it works today.

> There also seems to be filtering of SSH. I tried to connect to a clients
> server and wasn't able to connect. I'm on GCI and they are on ACS.

I've never had any problem SSHing to/from any system anywhere, with
ACS space as either as the client or server. I'm pretty sure that ACS
is not touching SSH in any way.

> I've also had to change my email settings. I had Internet though Custom
> CPU which is just reselling ACS DSL. I was unable to send email through
> my mail server on the net. I had to use Custom CPU's mail server.

Again, I'd have to get more specifics, but I'm intimately familiar
with the ACS mail setup, since I built and maintain the servers that
handle our mail, and was the sole person working the abuse queue for
six months in 2001.

I'm personally interested in getting to the bottom of this. If one is
coming from ACS IP space, one should be able to use ACS mail servers.
Find me some IP space that ACS "owns" that can't relay, and I'll find
out why and fix it on the ACS side, if that's where the problem lies.

In other words, put your packets where your mouth is. :) Give the
AKLUG list the specifics instead of a generalized "ACS is filtering
some stuff" claim. Let's see if others can reproduce the same
behavior that you're seeing. If it's something borked on the ACS
side, I'll direct the information to the appropriate people.

> For most users the filters that ACS has in place won't matter. They just
> want to surf the net and check email. However, filtering of any kind
> could block things that clients want access to.

True. It's a trade-off. I believe that ACS has done a fair job of
blocking only the things that reasonably informed people would want to
have blocked anyway.

> In my case I need to port scan and connect through SSH. I can't seem to
> do that on ACS. This would indicate to me that a lot more is being
> filtered then what you are suggesting or something is configured wrong.
> I think most of the blame should go to ACS but the Internet's a big
> place. It could be getting filtered before I even get to the ACS
> network.
>
> SSH is on port 22 hint, hint...

Yeah, I'm familiar. Show me an SSH session that's breaking, and I'll
show you that it's not due to deliberate filtering on the ACS side (or
find out why no one told me about it), and work with you until we
determine where the problem lies -- and I'm strongly suspecting that
such a failure has a non-ACS reason.

> Keeping the ACS network secure should not effect what clients can do
> on the Internet.

> If ACS wants to keep their servers safe they should put them behind
> a firewall and leave the rest of the network wide open.

We're not just talking about servers here. In today's world, there are
ISPs who have 20K+ zombified botnet-enslaved customers. The problem is
getting so bad that ISPs are starting to have to block entire
superblocks (bigger than /24) to protect themselves from other ISPs
who cannot sufficiently stop their own spewing. It's only getting
worse.

I personally would love to return to the days when everyone ran an
open relay, but it's no longer feasible, IMO.

> If filtering the Internet is something they feel they need to do it
> should be stated in the service plan.

It's reasonable for ACS to act to protect the integrity of its systems
and its other customers. According to dshield.org at this writing,
the expected survival time before infection of an unpatched Windows
box on the Internet is 28 minutes. I've seen it as low as 12.

What's more, an ISP's entire network -- not just a couple of /24s but
an entire ARIN allotment, affecting every customer that we have -- can
be blackholed in such an environment because of the infection of just
a few well-connected customers. As the botnet problem grows, this is
happening more and more often, shifting the burden over to the ISPs to
more vigorously police what comes out of their own networks.

In that light, I think that ACS has tried to balance the need to
protect their own infrastructure with customer usability.

And just so everyone knows ... I have Mondays off. :)

-royce

--
Royce D. Williams                                  - IP Engineering, ACS
personal: [first]@alaska.net                    - PGP: 3FC087DB/1776A531
work: [first.last]@acsalaska.net           - http://www.tycho.org/royce/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.