North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Customer-facing ACLs
On Fri, 7 Mar 2008, Scott Weeks wrote:
To me there is no question of whether or not you filter traffic for residential broadband customers.
Depends on how you ask the questions.
How about: Should a statefull firewall be provided for casual broadband dynamic Internet access connections by default? Users may change the default settings of the stateful firewall as they choose.
1. Unsolicited inbound (to user LAN) traffic
Are there LAN-only protocols and other data packets which shouldn't be accepted on WAN Internet access links without prior coordination (if ever)?
1. Anti-spoofing controls of source addresses
2. Proxy/gratitious ARP, ICMP redirects, DHCP server->client, RIP?
3. "Local" multicast data and broadcasts
4. "Sanity" checks of IP headers (i.e. source==destination,
loopback, etc) which should never appear on the wire
5. Layer 2 non-Internet (non-IP, non-IPv6, non-ARP, non-PPPOE)
Are there some protocols that should have prior coordination when using some Internet access types, e.g. dynamic or unauthenticated connections?
1. outbound to off-net SMTP (port 25) instead of MSA (port 587)
2. NetBios over TCP, the exploding Microsoft protocol?