router policy question
in [Debian]
|
Prev: How to play 3gp audio files?
Next: Bash script - pass command line arg to embedded sed script with multiple args
From: Glenn English on 16 Apr 2010 21:10 On my nets, I need to be able to telnet/ssh into the border router, from the inside, to futz with it. But is there any reason at all to allow anything, aside from some ICMP, to go beyond the ACL on its Internet facing interface -- to get to the router itself, that is? -- Glenn English ghe(a)slsware.com -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/6BE8023D-76B5-4978-92C8-4BC102BD5B11(a)slsware.com
From: Daniel D Jones on 16 Apr 2010 22:40 On Friday 16 April 2010 21:00:56 Glenn English wrote: > On my nets, I need to be able to telnet/ssh into the border router, from > the inside, to futz with it. > > But is there any reason at all to allow anything, aside from some ICMP, to > go beyond the ACL on its Internet facing interface -- to get to the router > itself, that is? You mean packets coming in from the Internet with a destination IP that is assigned to the router itself? Are you running any sort of routing protocol or similar that communicates with your ISP's routers, including things like MPLS, or any VPNs/tunnels that terminate at the border router? What about NAT or port forwarding on the border router? -- "Clothes make the man. Naked people have little or no influence on society." - Mark Twain, American Writer (1835-1910) -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/201004162235.18145.ddjones(a)riddlemaster.org
From: Glenn English on 17 Apr 2010 00:00
On Apr 16, 2010, at 8:35 PM, Daniel D Jones wrote: >> But is there any reason at all to allow anything, aside from some ICMP, to >> go beyond the ACL on its Internet facing interface -- to get to the router >> itself, that is? > > You mean packets coming in from the Internet with a destination IP that is > assigned to the router itself? Yup. I've blocked telnet and some irrelevant ICMP for a long time. It dawned on me the other day that I couldn't think of any reason not to just drop all TCP and UDP traffic to the router's outside IP. > Are you running any sort of routing protocol > or similar that communicates with your ISP's routers, including things like > MPLS, or any VPNs/tunnels that terminate at the border router? No routing protocols on the outside interface. The VPNs are handled by a host in the DMZ. To this router, the VPN traffic looks like just more UDP between public IPs. > What about NAT > or port forwarding on the border router? There's no port forwarding, and NAT all happens inside, on the firewall that connects the outside, the DMZ, and the LAN. This router sees only my routable address space (and its IP on the 1918 net between it and the firewall). -- Glenn English ghe(a)slsware.com -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/41EBEF30-1BF2-4092-AD4B-B0713E968150(a)slsware.com |