dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
660

treich
join:2006-12-12

treich

Member

blocking web servers on customer side

Guys
I am wanting to block all web servers on customer side of things and I will be using miktroik so what's script on doing this?

Thanks
wirelessdog
join:2008-07-15
Queen Anne, MD

1 recommendation

wirelessdog

Member

NAT at the CPE.
OHSrob
join:2011-06-08

OHSrob to treich

Member

to treich
What's wrong with letting your customers host web servers ?

As long as they are not spamming or hosting a DNS server I don't see what's wrong with this.

treich
join:2006-12-12

1 edit

1 recommendation

treich

Member

Rob
I don't want res customers to host webservers I don't care about the business doing that.

Wireless dog I will be using ubnt gear so what I need to do for nating at CPE?
alphageek911
join:2007-08-10
Fresno, CA

1 recommendation

alphageek911 to treich

Member

to treich
Keep in mind that you'll also be blocking many home webcams/video systems, and possibly other security/home automation systems, you may want the ability to switch it back on for customers that complain.

dmburgess
join:2006-09-12
House Springs, MO

1 recommendation

dmburgess to treich

Member

to treich
script is hard, but bsically block inbound port 80,443 connections. While you are at it, you can add port 80, 8080, 8181, 81, UDP 53 and 123 as well.

We have plenty of customers that do this to prevent consumer accounts from hosting. Google does this on their google fiber now as well.

treich
join:2006-12-12

treich

Member

@ dmbrugess how do I do that?
wirelessdog
join:2008-07-15
Queen Anne, MD

1 recommendation

wirelessdog to treich

Member

to treich
Set the Ubiquiti radio to router mode. Set the Wlan side as WAN with whatever - DHCP client, static, pppoe. Set the LAN side to do DHCP with a separate subnet enable NAT and away you go.

treich
join:2006-12-12

1 recommendation

treich

Member

wirelessdog
when I do that under router mode I will lose an option for management network setup unless I am not looking at something right.

keyboard5684
Sam
join:2001-08-01
Pittsburgh, PA

1 recommendation

keyboard5684

Member

I do not think you want to start natting everything.
It sounds like you just need to block ports 80 and 443.

This may be what you are looking for:
»home.swkls.org/mikrotik- ··· ettings/

John Galt6
Forward, March
Premium Member
join:2004-09-30
Happy Camp

John Galt6 to treich

Premium Member

to treich
What is the purpose, in particular, for doing this? Is there an operational necessity driving your decision to do this?
wirelessdog
join:2008-07-15
Queen Anne, MD

wirelessdog to treich

Member

to treich
No, not at all.
wirelessdog

1 recommendation

wirelessdog to keyboard5684

Member

to keyboard5684
Why wouldn't you want to NAT your residential customers?

keyboard5684
Sam
join:2001-08-01
Pittsburgh, PA

1 recommendation

keyboard5684

Member

I guess it depends on how many customers you have.
Too many translations would be one issue.
It is not best practice at all, it can certainly break things.

Also, logging.
Someone does something bad, that public address is suspect.

Mail servers: say someone sends spam and that NAT address gets blocked. All of your customers are now blocked.

That is a few, but overall it would create so many problems.

F100
join:2013-01-15
Durham, NC
Alcatel-Lucent G-010G-A
(Software) pfSense
Pace 5268AC

1 recommendation

F100 to dmburgess

Member

to dmburgess
said by dmburgess:

script is hard, but bsically block inbound port 80,443 connections. While you are at it, you can add port 80, 8080, 8181, 81, UDP 53 and 123 as well.

We have plenty of customers that do this to prevent consumer accounts from hosting. Google does this on their google fiber now as well.

So when did Google Fiber start blocking port? When they announced the small business fiber? I don't have their connection, I just have interest in keeping the internet as open as possible. As an ISP, it's not you job telling people how to use their connections as long as they are causing impact to your network.

Does Ford or your state tell you where you can drive your truck or car? Even TWC still doesn't block most ports. If I were using ISP that wanted to reduce my service, I would want a reduce price on said service to accommodate.
wirelessdog
join:2008-07-15
Queen Anne, MD

1 recommendation

wirelessdog to keyboard5684

Member

to keyboard5684
You obviously didn't read my post. I said to NAT at the CPE.
wirelessdog

1 recommendation

wirelessdog to F100

Member

to F100
Hosting servers is not a Net Neutrality issue.

treich
join:2006-12-12

treich

Member

@ F100 TWC does block port 80 on residential accounts.
@ John Galt the reason behind blocking port 80 on residential is due to they can suck up alot bandwidth and I could get in trouble if they host child porn and also they could post servers that can spread viruses etc on the network.

John Galt6
Forward, March
Premium Member
join:2004-09-30
Happy Camp

1 recommendation

John Galt6

Premium Member

Well, anyone knowledgeable enough to set up a server is going to be knowledgeable enough to circumvent your port blockage. The only way you're going to be able to do this is to block -all- ports, then allow open ports only for those services you want to allow.

As alphageek911 See Profile stated above, there are a lot of 'servers' out there now...expect to get many trouble calls.
wirelessdog
join:2008-07-15
Queen Anne, MD

1 recommendation

wirelessdog

Member

said by John Galt6:

The only way you're going to be able to do this is to block -all- ports, then allow open ports only for those services you want to allow.

aka NAT at cpe

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

1 recommendation

TomS_ to treich

MVM

to treich
As a service provider working with law enforcement you shift the blame on to the customer that is hosting the illegal content. You are not the one that goes to jail...

There's no reason they can't host a webserver on any other port that you haven't blocked, so blocking port 80 is half futile. It only serves to break the default nature of HTTP connections.

Re viruses, since you actually have to visit a website to download content from it I wouldn't be too worried about viruses spreading that way. More likely need to worry about self replicating viruses that spread by directly and actively exploiting vulnerabilities in remote systems on their own.

F100
join:2013-01-15
Durham, NC
Alcatel-Lucent G-010G-A
(Software) pfSense
Pace 5268AC

1 recommendation

F100 to treich

Member

to treich
said by treich:

@ F100 TWC does block port 80 on residential accounts.
@ John Galt the reason behind blocking port 80 on residential is due to they can suck up alot bandwidth and I could get in trouble if they host child porn and also they could post servers that can spread viruses etc on the network.

Yes they allow port 80 and even port 25 for mail servers. At least in my market. Also port 53 for DNS last time I checked. Given the size of TWC, it shows that it's not really a problem leaving ports open if you know how to manage your network.

It is not exactly a net neutrality issue in the same way as prioritizing site over other ones but still in the spirit of the open internet. Try to define "a server" in today's technology. Technically you are serving up any content you send to other computers like DSLR. As an IPS bandwidth wise, it make no difference if pushed or pulled from CPE. Who want to be the judge of what can be accessed on a LAN VS a WAN?

My F100 pickup you see in my avitar probably gets 10mpg. Toyota's eco egg car may get 50. We both pay the same taxes to use the same bandwidth on the highway. If choose to use 5x more gas, it doesn't mean I don't get to use the road the same as the Prius just because I can carry stuff with my truck that the Prius can't, or doesn't. The state and feds provide the road and don't limit it except in certain cases such as hazardous materials or weight restrictions.

I think it would be better for your customers if your were to use bandwidth monitoring. If someone is hogging bandwidth, send them an acceptable use warning. Use QoS to limit their connection when bandwidth is not available.

Using firewalls and QoS is much better than NAT. That will be necessary any way as things move to IPv6 where there is not supposed to be NAT. Are you customers using NAT now or do you have IP blocks for them to pull from?

Doesn't sound like your ISP is ready for it but a security appliance could protect your network from virus and for ports being used for traffic other then their intended traffic on those ports.

If you are worried about what people are hosing, you need to visit a lawyer and update your legal terms. Do you think any one at TWC goes to jail when CPE users hosts illegal content? Not a Chance. Lawyers made sure of that.

I think you should do what is best for your business. I'm just thinking from the CPE perspective.
raytaylor
join:2009-07-28

1 recommendation

raytaylor to treich

Member

to treich
Dont allow port 80 - if a customer has a badly designed router that exposes itself on the WAN side, then you can be unknowingly taking part in a ddos attack, or the router can be hacked to allow then to run programs on the router itself.

We block port 80-84, 1900 upnp, dns, 25 (in and out) and a few others like telnet / ssh, netbios/windows file sharing
OHSrob
join:2011-06-08

2 edits

1 recommendation

OHSrob to treich

Member

to treich
FYI blocking Netbios can have unexpected consequences.

When I added it to the ACL of blocked inbound services. (DNS, SMTP, UPNP). I also found out that some CCTV's DVR's mobile apps use the same port as Netbios.

I have at least 12 customers that I know of with old style CCTV DVR's they bought at costco. The web interface is on port 80 and the mobile app is on the same port as netbios.

I also had an issue with this brand of router called sonicwall that was listening for dns requests on the wan. I really dislike SonicWall.

That said if you guys really want to block all web servers so badly why don't you just use Deep packet inspection and make a layer 7 QOS inbound queue and set the queue to simulate a 1Kb/s connection on the moon (5000+ms of latency)?

It is trivial to do on pfsense, Cisco can do it as well but be prepared to throw at least a quad core i7 or Xeon at it if you go with pfsense. Inspecting the contents of every packet is very CPU intensive. Short of making a custom platform that uses a FPGA to do most of the heavy lifting I wouldn't expect to get more then 100-200 megabits of throughput through a i7.

That said unless your offering stupid amounts of upload and are not taking your own limitations into consideration. The amount of radio time customers upload takes up is very minimal and even if a quarter of your customers are blasting their upload full out all day and night full out you shouldn't even notice it.

edit: Fixed some poor wording.

edit: Mikrotik can probably do this as well, But don't ask me for help or even a link on how do to DPI on a Mikrotik router. I never managed to get hardware off loading of checksums and ACK's to work on my intel cards properly.

Mikrotik needed too much CPU on my DL380 G5 to do anything when I evaluated it before so I never took it very seriously.

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

2 recommendations

Rhaas to wirelessdog

Premium Member

to wirelessdog
said by wirelessdog:

Set the Ubiquiti radio to router mode. Set the Wlan side as WAN with whatever - DHCP client, static, pppoe. Set the LAN side to do DHCP with a separate subnet enable NAT and away you go.

+1 on this, customers have public IP's but all are natted at the CPE except for business customers with their own router - which hey, guess what - still natted, just out of my control

We do block common server ports that potentially could have an adverse effect on ourselves or other customers ie port tcp/25. Most RBL's have woken up and don't block /24's or greater anymore though. Which was for me, the big reason behind dropping SMTP traffic. Now its DNS and other ports inbound due to amplification attacks and misconfigured CPE.
Business class customers get exceptions in the core firewalls.

Over the years I think most ISP's have relaxed on the no servers policy. DIA connections more often than not are symmetrical now instead of aggregate so the outbound traffic doesn't take away from the whole (we still have 2 aggregate connections that are going away this year). It still makes sense for ISP's that are getting asymmetric or aggregate upstream connections to disallow servers.

I still wont allow SMTP though, I've dealt with too much BS over the years. Now if they want to run a mailserver they have to be a business customer and sign a contract with us which holds them liable for the hours I have to spend de-listing their IP if they are ever blacklisted. We billed a customer over $1k for them getting listed twice in a week. The first time wasn't much of an issue but RBL's don't play nice if you get nailed 2+ times in a short period. Customer refused the bill so we disconnected them and they went to a competitor. Competitor disconnected them ~2 weeks later. They came back to us but I refused to allow the mailserver to come back so they went to google aps and have been happier with that solution than having the mail server in house..