> > >> -----Original Message----- >> From: Matthew Reath [mailto:m...@mattreath.com] >> Sent: 07 February 2012 21:34 >> To: nanog@nanog.org >> Subject: Firewalls in service provider environments >> >> All, >> >> Looking for some recommendations on firewall placement in service >> provider >> environments. I'm of the school of thought that in my SP network I do >> as >> little firewalling/packet filtering as possible. As in none, > > I had a vendor actually suggest that that ALL my customer traffic should > traverse a firewall. I asked why and they said "Ahhh it the internet, must > have firewall". I suppose this must have been a great firewall. > > So yes I would agree with you, firewall nothing for your customers unless > they are paying you for a specific service. Filtering known bad ports, > well, what's a known bad port? Bad for one person may be quite important > for another. Whilst filtering port 25 outbound may help prevent some bots > from emanating spam, it certainly does a lot to annoy other people. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ >
>From a filtering perspective there are some know worm ports and such that we usually have a template created for. Here is the template we typically use (or a variant of it): <-- snippet --> access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 0.0.0.0 0.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip 224.0.0.0 15.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny tcp any any eq 135 access-list 102 deny udp any any eq 135 access-list 102 deny udp any any eq netbios-ns access-list 102 deny tcp any any eq 139 access-list 102 deny udp any any eq netbios-ss access-list 102 deny tcp any any eq 445 access-list 102 deny tcp any any eq 593 access-list 102 deny tcp any any eq 4444 access-list 102 deny tcp any any eq 9996 access-list 102 deny tcp any any eq 5554 access-list 102 deny tcp any any eq 8888 access-list 102 deny tcp any any eq 7778 access-list 102 deny tcp any any eq 8594 access-list 102 deny tcp any any eq 8563 access-list 102 deny tcp any any eq 1434 <-- end snippet --> This blocks some common worm ports as well as traffic sourced outside of our network from reserved address space. -Matt
