On Fri, 18 Jul 2003, Niels Bakker wrote:
* jared@puck.Nether.net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
If I recall correctly, Rob's Secure IOS Template touches on filtering known services (the BGP listener, snmp), but what are people's feelings on maintaining filters on all interfaces *after* loading a fixed IOS? It shouldn't be done. transit internet providers should not be the edges firewalls. The edge? They can filter what they want, but you should not filter things for people that they don't know is being filtered. I can see a few clear cases where this is acceptable, and ms-sql was one of them.
Good point. Still, transit networks' ingress routers could filter on destination addresses of nodes known not to run IP protocols 53/55/77/103 in order to protect them.
hrm, what nodes don't run 55/53/77/103? What do? Do you have a list? Could we have it? Seriously though... the edge networks (as Jared pointed out) should be able to decide what they want to filter and what they don't... perhaps some large ISP would decide you don't want any traffic from 212/8 or perhaps all porn? Or all religious material? You don't want someone deciding what you do and don't get... unless that someone is you :)
I suppose most networks have a limited number of ranges they use for assigning space to loopback and point-to-point interfaces so this needn't be an extreme amount of administration.
yes... inside my network I know what my loopbacks and links are, inside yours?? No idea... or Jared's or Tim Battles or...