On Dec 5, 2009, at 8:46 AM, der Mouse wrote: >> All traffic to any service not offered publicly somewhere on my >> network is dropped without further comment at the border router. You >> guys seem to be not doing that. > > Well, in my case, my NTP pool host *is* my border router. > > But, that aside, I can't really do that because I will often create > "services" ad-hoc. Telling the border router about them automatically > is (a) not possible without substantial software creation and (b) > pointless because it annuls the whole point of firewalling services to > allow traffic to new ad-hoc "services". > > Nor do I have any particular desire to. I do not subscribe to the > "hard shell, soft and chewy interior" model of network design; I > firewall to keep noise out of my logs (and CPU usage down on > CPU-expensive services like ssh), not to keep attackers from reaching > unprotected services. (Well, unless you count putting some machines on > non-routable addresses as a form of firewalling, which I mostly don't.)
Hmmm. Both responses I've received so far have said similar things: the NTP server is sitting on the 'Net. I'm a retired computer geek who spent his life doing things that had nothing to do with networking, so I missed the Internet (except as a user). When I retired I put up a couple server systems, and immediately got creamed by a badGuy in China because of a sloppy (newbie) install of RedHat 6. So I became a security freak and started reading books and installing layers of stateful router ACLs, and 3 hole firewalls, and packet filters, and 1918 DMZ and LAN nets, and stuff. There are pretty hard shells everywhere. Working great so far, except for when I cut myself off from the universe. I do spend an awful lot of time futzing with it, though, and adding a new service is a significant production. OTOH I haven't been visited by that guy from China again... And y'all are actually OK without all this? Interesting. -- Glenn English [email protected] _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
