What are some good standard firewall practices that ISP's should use to filter theirs customers internet? Is it appropriate to filter it at all or give them full access to ports etc.?
If it is a good idea to filter forward traffic for customers then what are some good guildlines to use?
Re: Standard ISP Firewall practices
Check out this recent thread.
If your customers are fully exposed, there are some ports that you might want to block to offer some basic protection. Generally speaking, blocking all inbound traffic to ports <1025 would be reasonable for residential customers. Business/enterprise customers might not like that though.
For outbound filtering, windows networking stuff (135-7,445?) might also be reasonable, along with well known ports for proxy services like socks. Careful with this though. If you filter too much you can make the service unusable.
Personally, I'd put residential services behind NAT and require SOHO/Enterprise customers to have a router/firewall appliance of their own, which could be a business opportunity for you to offer managed services. Leasing/managing a 2011 or CCR for a monthly fee on top of the bandwidth could be very profitable.
If your customers are fully exposed, there are some ports that you might want to block to offer some basic protection. Generally speaking, blocking all inbound traffic to ports <1025 would be reasonable for residential customers. Business/enterprise customers might not like that though.
For outbound filtering, windows networking stuff (135-7,445?) might also be reasonable, along with well known ports for proxy services like socks. Careful with this though. If you filter too much you can make the service unusable.
Personally, I'd put residential services behind NAT and require SOHO/Enterprise customers to have a router/firewall appliance of their own, which could be a business opportunity for you to offer managed services. Leasing/managing a 2011 or CCR for a monthly fee on top of the bandwidth could be very profitable.