We have default rule-set of fire-walling rules per server. Even if the
server is behind a fire-wall itself, we still apply fire-walling on each
server itself. This set includes an RFC set by default.
From experience I can say that the networks bleed a lot of such
traffic all over.
When I asked our network engineers about this, I got various answers
from not wanting to spend 2 minutes to add those ACLs to routers, to
claims that the processing for implementing such ACLs would be too
hefty on the CPUs of the router.
I even had a comment that it's the clients responsibility to do that
filtering, not the core network/edge routers.
In my mind, every router should have a default subset of these filters
on them. End of story. (Unfortunately not...)
What I find even more disturbing is the number of queries for and from
such networks that bleed through to our DNS servers. They obviously
just get rejected outright on the server fire-wall, but they should
never even have gotten there.
Companies that use private sub nets, should use DNS servers with views
to shield the Internet from such queries. I have even seen private
addresses being used in public DNS space. I.E. for MXs...
Wednesday, October 25, 2006, 10:41:58 AM, you wrote:
[snip]
When I first started managing my own internet access, I had rules in my
firewall to drop any private IPs coming from the outside. I went years
without a single hit on those rules. I eventually decided it wasn't worth
the
CPU cycles to check every new connection for impossible packets and deleted
those rules. Maybe I should reconsider...
Jeff
I did the same on my firewalls after considering these subnets could never
reach my network per rfc 1918 statements !
But it seems many Internet connection providers never read rfc's or apply
them correctly :-(
(its so easy to sell expensive options like firewall boxes that will do that
should normally be the basic.)
Now I will reinstall rules for rfc 1918 filtering :(
--
Best regards,
Jornmailto:[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe xmail in
the body of a message to [EMAIL PROTECTED]
For general help: send the line help in the body of a message to
[EMAIL PROTECTED]