Shall we block all those ports if a ISP ?

RouterOS General
1

I was checking Comcast website and I see they have blocked all those ports.
https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/

Shall, we simply add rule for each port and block them ?
And should it be done at the border or core or PPPoE router ?


add chain=forward protocol=tcp dst-port=0 action=drop
add chain=forward protocol=udpdst-port=68 action=drop


And so on…

But how to block? I mean, in microtik firewall it doesnt allow to enter range or tcp/udpboth at once.

[table][tr][td]135-139[/td]
[td]TCP/UDP[/td]
[/tr]
[/table]

2

It is your own decision what ports you block to protect your customer and yourself.
You CAN block port ranges in MikroTik routers, but not protocol ranges.
So you need a separate rule for UDP and TCP each with the range.

3

So so if its 135-139,
So, create 2 rule each of TCP and UDP for 135, 136,137,138,139

4

Dutch ISP XS4ALL offers its customers customizable firewall settings. Customers can choose the level of protection they want through their support portal. This ranges from Level 0 (all ports open) to Level 4, where all the ports that are susceptible to abuse are blocked (i.e. 25, 53, 136, 137, 139, etc.).
https://www.xs4all.nl/service/diensten/beveiliging-en-veiligheid/installeren/hoe-zet-ik-poortbeveiliging-aan.htm (Click at “Actief beveiligde poorten bij XS4ALL” (near the bottom of the page) for a detailed overview.)

5

Blocking port 53 ?
DNS will stop working.

6

I don’t understand what you mean.
You create one rule for UDP for 135-139 (possibly more like 135-139,445) and one rule for TCP with the
same or a different portlist.

7

Of course they allow the use of their own DNS-servers. (This obstructs malware that diverts DNS-requests to DNS-servers operated by the bad guys.)

8

I see,
so in address list allow they only keep the DNS IP of their DNS server.
so, everything else is blocked. Means, even if someone tries to put Google DNS, he cannot access internet.

9

That is correct. But they leave this choice up to the customer.

10

Okay, the website is in dutch, no english :frowning:

11

Soamz, Trema

PLEASE DO NOT CITE POST UNDER CITED POST !!!

Most of us could follow posts stream without these citations.

12

Okay KISS!

13

Please remember if you block any ports > 1024, you should make sure you do them for inbound connections only. Otherwise if a client picks a local ephemeral port number that happens to match a blocked port, suddenly things stop working.

14

Good info.
Is there a one stop wiki for what ports should be blocked ?

15

There is no general advice about that because it depends on your intentions.
Do you want to guard your own network, to guard your customer, your ISP’s reputation, or all?
Do you want to guard against abusers from the internet, from your customers, or both?
What OS is your typical customer running?
Anyway, the thread started with an existing policy that explains some things.

16

95% customers on windows, thats the reason of spamming, as mostly use pirated softwares and infected malware.

17

Yes but you need to decide what you want to guard against.
You need to be careful. When you implement measures to prevent your customers
from being infected in a certain way, and this fails (if only due to advances in attacks),
your customers may claim that you have failed in protecting them.
So it may be better to only guard your own network and reputation.
(protection against use of customer as DDOS reflector, against customer doing spamming
resulting in your network being listed on SPAM blocklist, etc)

18

Need to stop doing the social work for the customers and start restricting them.

19

Forum users answering you are doing social work for you. Should we restrict you ? :slight_smile:

BTW… my finger is hurting me as I have to scroll 3 meters of thread as you quote … quote … quote … almost all previuos answers.

20

I mean, I kept port 25 open and got my 2000 IP blocked and now dead :frowning: