The following list is what I'm thinking of using for blocking traffic
between an edge router acting as a firewall and an ISP/upstream. This
table is limited to address blocks only; TCP/UDP port filtering, and IP
protocol filtering, is a separate discussion. This is for an
implementation of BCP-38
Hi,
sorry - but why would you want to block Teredo / 6to4?
Florian Brandstetter
President & Founder
W // https://www.globalone.io
(https://link.getmailspring.com/link/5edc7c51-257c-47ac-b303-4b5a7f6e9...@getmailspring.com/0?redirect=https%3A%2F%2Fwww.globalone.io&recipient=bmFub2dAbmFub2cub3Jn)
On 10/13/19 8:58 AM, Stephen Satchell wrote:
In trying to research what would constitute "best practice", the papers
I found were outdated, potentially incomplete (particularly with
reference to IPv6), or geared toward other applications. This table
currently does not have exceptions -- some ma
On Sun, Oct 13, 2019 at 8:58 AM Stephen Satchell wrote:
> The following list is what I'm thinking of using for blocking traffic
> between an edge router acting as a firewall and an ISP/upstream. This
> table is limited to address blocks only; TCP/UDP port filtering, and IP
> protocol filtering,
Hi,
On Sun, Oct 13, 2019 at 08:58:17AM -0700, Stephen Satchell wrote:
> The following list is what I'm thinking of using for blocking traffic
> between an edge router acting as a firewall and an ISP/upstream. This
> fe80::/10 LinkLink-local address.
most people allow that
On Sun, 13 Oct 2019 at 19:29, William Herrin wrote:
> The current IPv6 Internet is 2000::/3, not ::/0 and that won't change in the
> foreseeable future. You can tighten your filter to allow just that.
Only do this, if this isn't CLI jockey network now or in the future.
--
++ytti
On 10/13/19 9:08 AM, Florian Brandstetter wrote:
> Hi,
>
> sorry - but why would you want to block Teredo?
I know nothing about Terendo tunneling.
> In computer networking, Teredo is a transition technology that gives
> full IPv6 connectivity for IPv6-capable hosts that are on the IPv4
> Interne
On 10/13/19 9:58 AM, Stephen Satchell wrote:
The Linux rp_filter knob is effective for endpoint servers and
workstations, and I turn it on religiously (easy because it's the
default).
I think it's just as effective on routers as it is on servers and
workstations.
For a firewall router witho
On 10/13/19 3:36 PM, Stephen Satchell wrote:
Are you saying that Terendo should come off the list? Is this useful
between an ISP and an edge firewall fronting an internal network? Would
I see inbound packets with a source address in the 2001::/32 netblock?
If you are running services which ar
On Mon, 14 Oct 2019 at 03:38, Grant Taylor via NANOG wrote:
> I think you should seriously re-consider using rp_filter on a router.
rp_filter is one of the most expensive features in modern routers, you
should only use it, if PPS performance is not important. If PPS
performance is important, ACL
❦ 14 octobre 2019 09:14 +03, Saku Ytti :
>> I think you should seriously re-consider using rp_filter on a router.
>
> rp_filter is one of the most expensive features in modern routers, you
> should only use it, if PPS performance is not important. If PPS
> performance is important, ACL is much fa
11 matches
Mail list logo
