On Wed, 18 Mar 2020 at 20:09, Chuck Anderson wrote:
> I disagree that they would be any good at it--it would likely be filled with
> the same holes as we've seen here given network vendors' poor history in this
> area (see bad filters taking out IS-IS, IPv6 ND, and NFS traffic on EX4500
>
On Wed, Mar 18, 2020 at 06:36:58PM +0200, Saku Ytti wrote:
> On Wed, 18 Mar 2020 at 18:30, John Kristoff wrote:
>
> > Yep, I get all that. I can tighten that up. Care to show us how you
> > do loopback filters?
>
> It is situational, it's hard to come up with one-size-fits-all. One
> approach
On Wed, 18 Mar 2020 at 18:53, Chuck Anderson wrote:
> 49125-65535, 1024-49124 could have something listening in them.
>
> Thanks, this is useful. From the BSD shell it appears to be 49160-65535:
You are correct. I debated between the sysctl or standard, and I'm not
sure if I made the right
On Wed, Mar 18, 2020 at 06:33:11PM +0200, Saku Ytti wrote:
> On Wed, 18 Mar 2020 at 18:28, Chuck Anderson wrote:
>
> > term bgp-inbound {
> > from {
> > source-prefix-list {
> > bgp-neighbors-v4;
> > }
> > protocol tcp;
> > source-port 1024-65535;
On Wed, 18 Mar 2020 at 18:28, Chuck Anderson wrote:
> term bgp-inbound {
> from {
> source-prefix-list {
> bgp-neighbors-v4;
> }
> protocol tcp;
> source-port 1024-65535;
This is immaterial, you don't care what this SPORT is. Be liberal.
> term
On Wed, Mar 18, 2020 at 11:16:54AM -0500, John Kristoff wrote:
> On Wed, 18 Mar 2020 16:02:09 +
> Saku Ytti wrote:
>
> > It is completely broken, you use 'port' so you expose every port in your
> > system.
>
> Ha, OK thanks. I think that would require some not so easy spoofing
> unless
6 matches
Mail list logo