So it sounds like you fall on the side of lock down everything and allow specific ports in as needed.
WAN_IN
This was our orignal (and now current) setup - where we lock down the firewall and only allow specific ports through but after some discussion and research we thought perhaps it might be a better route as an ISP to only block specific ports that are known to be an issue and hence allow customers to do what they needed without the need for us to intervene.
Unfortunately when doing that we encountered the issue mentioned above - so we've reverted. It will be interesting to see if we get a few more people chiming in on what they do.
Are more people on the lock down and open specific ports side or the open all and block specific ones? If anyone is on the open all and block only specific ports I'd also be interested in hearing whether or not it's caused them issues such as ours and/or what ports they've taken to blocking.
