Re: ACS "tech support"

From: W.D.McKinney <deem@wdm.com>
Date: Mon Mar 21 2005 - 18:47:09 AKST

On Mon, 2005-03-21 at 17:49 -0900, damien hull wrote:
> The filtering that ACS has is to restrictive for me. GCI gives you an
> Internet connection to do with as you pleas. If I want I can put up my
> own mail server. You can't do that on ACS.
>

Hmm.. My business has been on an ACS Internet connection for some time.
The only issue has been with sales dept. and no returned phone calls.
The IP service has been fine, and yes we run e-mail services on the
connection as well as other apps that require certain ports available.

> There also seems to be filtering of SSH. I tried to connect to a clients
> server and wasn't able to connect. I'm on GCI and they are on ACS.
>

Hmm I have not had any issue with port filtering with ssh? Do you have a
log?

> I've also had to change my email settings. I had Internet though Custom
> CPU which is just reselling ACS DSL. I was unable to send email through
> my mail server on the net. I had to use Custom CPU's mail server.
>

Really? This sounds like an MTA configuration issue not ACS Internet's
problem.

> For most users the filters that ACS has in place won't matter. They just
> want to surf the net and check email. However, filtering of any kind
> could block things that clients want access to.
>
> In my case I need to port scan and connect through SSH. I can't seem to
> do that on ACS. This would indicate to me that a lot more is being
> filtered then what you are suggesting or something is configured wrong.
> I think most of the blame should go to ACS but the Internet's a big
> place. It could be getting filtered before I even get to the ACS
> network.
>
> SSH is on port 22 hint, hint...
>

I have SSH to all my servers available at any port I set it to? Where
did you get this idea?

> Keeping the ACS network secure should not effect what clients can do on
> the Internet. If ACS wants to keep their servers safe they should put
> them behind a firewall and leave the rest of the network wide open. If
> filtering the Internet is something they feel they need to do it should
> be stated in the service plan.
>

Agreed, but I have NetExpress and I don't have any problems at all.

Dee

> On Mon, 2005-03-21 at 15:07 -0900, Royce Williams wrote:
> > On Mon, 21 Mar 2005, damien hull wrote:
> >
> > > ACS filters their traffic and blocks a lot of things. I tried port
> > > scanning a clients network and got back a lot of "filtered" replies. The
> > > client was on GCI so I called tech support and they told me they don't
> > > filter anything. That's when I realized the problem was ACS.
> > >
> > > I'm on GCI now.
> >
> > Clearly, I do not speak for my employer, but I figured I'd take the
> > bait here as an individual.
> >
> > First, the filtering that Damien's describing and the IP block that
> > Joshua is experiencing are of different kinds: the former is
> > network-based and probably at our borders, and the latter is
> > application-based and solely an MTA configuration.
> >
> > Second, Damien -- if you were just doing the port scan to see what was
> > running, then yes, unfortunately, you will not be able to probe your
> > client's network remotely in order to determine whether or not they
> > have anything listening on those ports. This is a side-effect of the
> > filtering, and there's not a lot that can be done to work around it
> > other than initiating the port scan from somewhere topologically
> > closer to your client.
> >
> > If, however, your client actually has/had some service running on some
> > port that isn't widely exploited and that's perfectly safe running
> > over the public Internet, I'd be very interested in hearing the
> > specifics about it. While I'm not in charge of our network-level
> > filtering, I can certainly mention any problems to those who are.
> >
> > As I understand it, ACS is only blocking the 135-139 known Microsoft
> > stuff, MS SQL on port 1433, and a couple of other widely-exploited
> > ports -- all stuff that people stop doing over the public Internet
> > once they understand the implications.
> >
> > In other words, if your scan wasn't just for general scanning
> > purposes, and your client is/was doing any of those things over the
> > public Internet, you probably should have advised them to stop doing
> > it, IMHO. Again, this only applies if your scan wasn't just generic.
> >
> > With the rate of infection out there, ACS has had to start filtering
> > on the major attack-vector ports out of sheer self-defense. Frankly,
> > if GCI isn't doing this kind of forwarding, they must get a lot of
> > complaints about spam originating from systems infected in their
> > customer base. If you follow what the big ISPs are having to do to
> > reduce how much spam they're spewing, ACS's blocking of NetBIOS, etc.
> > is peanuts compared to what some have had to do.
> >
> > -royce
> >
> > --
> > Royce D. Williams - IP Engineering, ACS
> > personal: [first]@alaska.net - PGP: 3FC087DB/1776A531
> > work: [first.last]@acsalaska.net - http://www.tycho.org/royce/
> >
> >

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 21 18:47:12 2005

This archive was generated by hypermail 2.1.8 : Mon Mar 21 2005 - 18:47:12 AKST