On Wed, 27 Apr 2005, Jerry Pasker wrote: > > Christopher L. Morrow allegedly wrote: > > >This, it seems, was an unfortunate side effect (as I pointed out earlier) > >of legacy software and legacy config... if I had to guess. > > You guess wrong. See the above. And don't pass judgement. (am I > being sited for lack of clue? It kind of feels like it) It wasn't a
no lack of clue meant, just pointing out one possible cause of the acl usage. I don't think I saw the original reasoning in the original email. > *BAD* thing, it was a *GOOD* thing. It made things better, not > worse. I still may go back and re-implement port 53 blocks in the > future if I find a good reason to. I know now that it doesn't really > cause operational problems. At least not in a smaller ISP > environment. Would I want a transit network to block TCP 53? Of > course not. But my end customers request those types of services > regularly, so I try to provide what they want. > Sure, this is a form of 'managed security services' and the custommer (and you) agree to that policy change. > And don't think I'm coming off as all ticked off and defensive. I'm > not ticked off, I'm actually enjoying this. As for being defensive? > Maybe. I'm trying hard not to be though. I really can't help > myself........I have this lurking fear that I'm being tossed in to > the "clueless block TCP 53 with an outsourced firewall, and don't > know what I'm doing beyond that" group that I so despise. ;-) > Especially on this list, full of people that I have so much respect > for. either way, it was just one possibliity of many for the acl to be there, nothing more :) > good of the group, and therefore, worth it. And I still think that. excellent, it probably helps Patrick, the world-nic folks and others as well :)