OT: Should these ports be open, on dsl router? Options

[swood]

21 FTP - we access, but don't support our own ftp server

23 Telnet - we do not use telnet

I swear we're getting infiltrated. Gotta button the ship up.

[airsix]

Many small home routers such as Linksys do not allow you
seperately filter inbound/outbound ports so you have to be
careful and sometimes creative with what you filter because
their filtering capabilities are so limited.
Also, there is alot more than just HTTP, POP, & SMTP that
you are going to want to allow to have a working/functioning system
and a good WEB browsing experience.
(HTTPS, & DHCP immediately come to mind) There are other
things like instant messaging stuff, RealVideo/Audio etc....

The main thing is to block the nasty areas that are easily exploited
on Microsoft machines. The big one is multicast/broadcast protocols
such as NetBT which is microsloth's
NETBUI stuff slammed out in broadcast UDP packets.

Umm... all that stuff is already blocked. You don't need to create filters for it. In fact you can't manually block it. It's already blocked. All you can do is OPEN it. All the little residential/SOHO routers like the models from Linksys and D-link have all this stuff setup correctly right out of the box. You don't have to set up packet filters for any of this stuff be cause all inbound requests are ignored by default with the exception of ICMP reuqests which can be turned off if you wish with a single check-box click. Then 100% of all inbound traffic is dropped and all outbound traffic is masqueraded. In other words everybody can get out and nothing can get in. Do a port scan on the public side of a Linksys router right out of the box and all you'll get is ICMP response. Turn ICMP off and it's invisible - won't respond to or forward ANYTHING (from outside to inside). You're done. Exhale.

-Ben M.