On Tue, 15 Nov 2011, Joe Greco wrote:
Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already.
er. you've forgotten "en; conf t; ip routing" to turn off the default "no ip routing" (or "no ip forwarding" is my memory, but my config archive says otherwise)
so we had default to deny in routers for a long time....
My bad. But seriously, now, I'm going to wander a bit far to make a point that I hope people get. In the '90's, during the rapid ISP growth era, one of the local policies here was that all boxes should be protected by a competent on-box firewall. The problem with this was that it was tough to implement in practice, since for the most part, boxes varied in interface configuration, etc., etc. Writing a custom ruleset for each box was nearly prohibitive. I also had clients where I saw similar problems. You'd see all sorts of pseudo-strange rulesets being written, and wildly differing policies about things like ssh, etc., which made administration a challenge too. But a large percentage seemed to go firewall-free. Bleh. So as part of the standard build, I designed an automatic firewall script that basically looked at the system IP configuration, derived reasonable defaults, and then allowed an abstract policy to be specified, such as TCP_ALLOW="80 443" and the rest was automatic. This may seem trivial to many of you, and I will even concede that it *should* be, but the point is that by having this installed by default, it made it MORE annoying to disable the firewall than it was to create a simple configuration for it. So suddenly all servers built through the build scripts reliably had firewall rules in place. I know some readers here may still be using variations on those scripts, and they've served us well over the years too. Now I want to stress the point here: It wasn't that there was this magic firewall script, because to be sure some engs still rolled their own for various reasons. The point is that SOME firewall was going to be running. And that's the desired result. In any case, to bring the discussion home, I suspect that part of the problem with routers and fw rules is that there's a lack of a "default to being firewalled". Because it's hard to do that and do it right without also being so painful that an admin just installs a "pass all" rule to get things working, and then forgets about it all. Those of you who work for large service providers or enterprises and have this all worked out - well, I'm not talking about you, of course. You have incentive and motivation to get this kind of thing working on your fleets of a thousand routers. Great. But it's still a problem for many others. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.