On Thu, Feb 10, 2000 at 06:13:56PM -0800, Chris Cappuccio wrote:
Filtering incoming our outgoing ports for anybody's network but your own (not your customer's) is wrong. You know specifically what apps you are running. How can you know what your customer is running or what they want to do ?
If the customer is aware this is happening or even requests this type of firewall service, that's great. But to filter ports on backbone routers is stupid.
On Thu, 10 Feb 2000, John M. Brown wrote:
| | We have always built martian filters on our edge routers. In addition we | built specific filters for ports that are not used, or are bad on the net. | | No matter what the customers router is doing, ours will drop 1918 and other | IP blocks, and ports. | | This can be automated and can be deployed over a reasonable period of time. | Most MAJOR backbone providers do not do this, wish they would
Filtering traffic sourced from 1918 space is also stupid. There is absolutily nothing wrong with this traffic. There is something wrong with knowing how to get to 1918 space that is not on your network or trying to tell someone else how to get to your 1918 space, but the traffic itself is totally legit, for example as a return in a traceroute from a hop that is numbered in 1918 space. I am continueingly amazed how many people say "well we filtered 1918 space that will reduce the size of the attack". RFC1918 space is 6% of the available IPv4 address space. Infact the only traffic that should NOT be on the internet is from the loopback class A 127.0.0.0/8, so if you want to filter something useful why don't you try access-list 1911 permit 64.0.0.0 0.255.255.255 access-list 1911 deny 64.0.0.0 63.255.255.255 access-list 1911 deny 224 0.0.0 31.255.255.255 access-list 1911 permit any Thats a 35.9% reduction in the random sourced attacks, and takes care of multicast space sourced packets which you should never see either. -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA