Question: Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access. -=-=-=-=-=-=-=-=-=-=-=-=- The Shadow www.Geek-Guy.com -=-=-=-=-=-=-=-=-=-=-=-=-
Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
maybe because those godless communist sexually deviant vicious perverts out there in the rest of the world are damned hard to differentiate from the sexually deviant vicious perverts we have in our government? and there money is still good. you may want to look at the balance of trade and worry about the opposite flow. sheesh! randy
Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
Most people inherently know the answer to this, but I figure I might as well answer the question since it was asked. It is the way it is, because the internet works when it's open by default, and closed off carefully. (blacklists, and the such) Would email have ever taken off if it were based on white lists of approved domains and or senders? Sure, it might make email better NOW (maybe?) but in the beginning? Block the few bad apples, and generally allow everything else by default. (but allow it carefully) It works for the web, email, airport security, and society in general (mostly open, free... unless you're a Bad Guy Criminal Type). No one is smart enough to be a central planner, and know where the bad is, all the time. And no one is smart enough to predict who/where the "good" is. That's why open by default (with careful security to screen out the "bad") generally works the best. Chase down the "bad", and assume (correctly so) that the rest is "good." Same concept applies to why we have police that chase criminals, rather than just throwing everyone in prison by default and making them prove that they're worth of being free. -Jerry
Jerry Pasker wrote:
It is the way it is, because the internet works when it's open by default, and closed off carefully. (blacklists, and the such) Would email have ever taken off if it were based on white lists of approved domains and or senders? Sure, it might make email better NOW (maybe?) but in the beginning?
There was an experiment on this. It's called X.400.
Pete
On Fri, 29 Dec 2006, Randy Bush wrote:
Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
maybe because those godless communist sexually deviant vicious perverts out there in the rest of the world are damned hard to differentiate from the sexually deviant vicious perverts we have in our government?
and there money is still good. you may want to look at the balance of trade and worry about the opposite flow.
I think the better answer is: "your network your choices, my network my choices"
And then I can refuse to read anything that comes from the US. After all, the pharma spam is clearly targeted on US residents. But what about all the Alice.it/Telecom Italia spam? Killfile the whole country, clearly. And the Chinese porno spam? And the Russian hackers? I remember there used to be something called the Internet.. On 12/30/06, Chris L. Morrow <christopher.morrow@verizonbusiness.com> wrote:
Why is it that every company out there allows connections through
firewalls to their web and mail infrastructure from countries that
On Fri, 29 Dec 2006, Randy Bush wrote: their they
don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
maybe because those godless communist sexually deviant vicious perverts out there in the rest of the world are damned hard to differentiate from the sexually deviant vicious perverts we have in our government?
and there money is still good. you may want to look at the balance of trade and worry about the opposite flow.
I think the better answer is: "your network your choices, my network my choices"
On Fri, Dec 29, 2006 at 02:19:36PM -0800, The Shadow wrote:
Question: Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
-=-=-=-=-=-=-=-=-=-=-=-=- The Shadow www.Geek-Guy.com -=-=-=-=-=-=-=-=-=-=-=-=-
From: ceo@rich-company.co.es To: shadow@geek-guy.com Subject: employment Dear Mr. Shadow, Your previous employer, Mr. Lamont Cranston, has recommended you for consulting work with our US office. This would allow you to work 20 hrs/week from home. Our need is such that we would be willing to offer you up to 150.000 euros/yr (~$197,970.12) as a non-exclusive retainer for these services. Please respond at your earliest convenience. We were particularly impressed by what we saw on your Web site. Oops, but you missed that because you only allowed provincial mail in. And didn't let them see your Web site. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Dec 29, 2006, at 4:19 PM, The Shadow wrote:
Question: Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
I can't quite tell if this is a troll or legit question. Had I not just gone through this same debate with someone else who was serious about it, I would have assumed the former. :) 1) There is no 100% accurate list of what country the assignee of an IP address is. Through our own experiences, the best geotargeting databases are less than 90% accurate at the country level. 2) Even if you were able to 100% accurately list what the country of origin each allocation is, that still doesn't mean you can determine where the system is itself. Out of one /16 allocation it's not uncommon to see chunks of it deployed in several countries. Multinational countries may forward all of their outgoing mail to one or two large servers in a different country than the sender/recipient is in. 3) Even if you can get around #1 and #2, nothing stops the "bad guys" from connecting to a host in your country and forwarding whatever attack they want from there. 4) Even if you can get around #1, #2 and #3, legitimate accesses from people in your country may go through servers in another country. (Non-US users using Gmail for example) 5) Even if you're positive that the above 4 don't matter, you're talking about a HUGE number of firewall entries. In our current geotargeting database, collapsing all known US allocations into as big CIDR blocks as possible while still leaving out uncertain/unknown blocks, that still ends up with around 1,800,000 firewall rules to allow only known US IP addresses. Working off a blacklist isn't much better. If you don't like Canadians, you're adding 80,000 rules. If you want to keep the Chinese out, that's 155,000 rules. If it's British hackers you're concerned about, you've got 308705 distinct IP blocks to ban. 6) Allocations change constantly, how are you keeping this list updated? 7) What about open proxies, botnets, or other nasties inside the "good" countries? 8) The first time your CEO loses an email from his daughter while she's on vacation to Singapore, you're going to have to remove all of this.
Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
I assume you want this: http://geekculture.com/joyoftech/joyarchives/446.html Most "unnecessary access" I see seems to be coming from US-based IP addresses anyway. A Great Firewall Of USA would certainly reduce the amount of spam I get :)
On Fri, 29 Dec 2006, Peter Corlett wrote:
Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the b@lls to be braven and block the unnecessary access.
I assume you want this:
http://geekculture.com/joyoftech/joyarchives/446.html
Most "unnecessary access" I see seems to be coming from US-based IP addresses anyway. A Great Firewall Of USA would certainly reduce the amount of spam I get :)
Hear Hear! It'd be amazing how much easier my mail handling life would be if I could blindly drop *.comcast.net without worrying about collateral damage. (Some years ago I had to ring an ISP in the US - and i'm in NZ - and ask them by _phone_ why they appeared to be filtering connections from here to their web server, despite the fact we were one of their customers. Turns out that they had inbound filters applied to 202/8. Whoopsie?) Mark. (Its the Internet, not the USofA-net. Damnit!)
participants (10)
-
Alexander Harrowell
-
Chris L. Morrow
-
Jerry Pasker
-
Joseph S D Yao
-
Kevin Day
-
Mark Foster
-
Peter Corlett
-
Petri Helenius
-
Randy Bush
-
The Shadow