* jared@puck.Nether.net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
If I recall correctly, Rob's Secure IOS Template touches on filtering known services (the BGP listener, snmp), but what are people's feelings on maintaining filters on all interfaces *after* loading a fixed IOS? It shouldn't be done. transit internet providers should not be the edges firewalls. The edge? They can filter what they want, but you should not filter things for people that they don't know is being filtered. I can see a few clear cases where this is acceptable, and ms-sql was one of them.
Good point. Still, transit networks' ingress routers could filter on destination addresses of nodes known not to run IP protocols 53/55/77/103 in order to protect them. I suppose most networks have a limited number of ranges they use for assigning space to loopback and point-to-point interfaces so this needn't be an extreme amount of administration. Regards, -- Niels.