Re: Request comment: list of IPs to block outbound

On 10/13/19 3:36 PM, Stephen Satchell wrote: Are you saying that Terendo should come off the list? Is this useful between an ISP and an edge firewall fronting an internal network? Would I see inbound packets with a source address in the 2001::/32 netblock? If you are running services which

Re: Request comment: list of IPs to block outbound

On 10/13/19 9:58 AM, Stephen Satchell wrote: The Linux rp_filter knob is effective for endpoint servers and workstations, and I turn it on religiously (easy because it's the default). I think it's just as effective on routers as it is on servers and workstations. For a firewall router

Re: Request comment: list of IPs to block outbound

On 10/13/19 9:08 AM, Florian Brandstetter wrote: > Hi, > > sorry - but why would you want to block Teredo? I know nothing about Terendo tunneling. > In computer networking, Teredo is a transition technology that gives > full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 >

Re: Request comment: list of IPs to block outbound

On Sun, 13 Oct 2019 at 19:29, William Herrin wrote: > The current IPv6 Internet is 2000::/3, not ::/0 and that won't change in the > foreseeable future. You can tighten your filter to allow just that. Only do this, if this isn't CLI jockey network now or in the future. -- ++ytti

Re: Request comment: list of IPs to block outbound

Hi, On Sun, Oct 13, 2019 at 08:58:17AM -0700, Stephen Satchell wrote: > The following list is what I'm thinking of using for blocking traffic > between an edge router acting as a firewall and an ISP/upstream. This > fe80::/10 LinkLink-local address. most people allow that

Re: Request comment: list of IPs to block outbound

On Sun, Oct 13, 2019 at 8:58 AM Stephen Satchell wrote: > The following list is what I'm thinking of using for blocking traffic > between an edge router acting as a firewall and an ISP/upstream. This > table is limited to address blocks only; TCP/UDP port filtering, and IP > protocol filtering,

Re: Request comment: list of IPs to block outbound

On 10/13/19 8:58 AM, Stephen Satchell wrote: In trying to research what would constitute "best practice", the papers I found were outdated, potentially incomplete (particularly with reference to IPv6), or geared toward other applications. This table currently does not have exceptions -- some

Re: Request comment: list of IPs to block outbound

Hi, sorry - but why would you want to block Teredo / 6to4? Florian Brandstetter President & Founder W // https://www.globalone.io (https://link.getmailspring.com/link/5edc7c51-257c-47ac-b303-4b5a7f6e9...@getmailspring.com/0?redirect=https%3A%2F%2Fwww.globalone.io=bmFub2dAbmFub2cub3Jn) On Okt.

Request comment: list of IPs to block outbound

The following list is what I'm thinking of using for blocking traffic between an edge router acting as a firewall and an ISP/upstream. This table is limited to address blocks only; TCP/UDP port filtering, and IP protocol filtering, is a separate discussion. This is for an implementation of