Finally getting our BGP project back in play, normalizing all our routers. Focus tonite is the firewall.
I had been putting butch evans firewall on all our interior routers, and the two upstream peer routers had minimized rules. the more I think about it, the interior routers really shouldn't need much, maybe less than the edge. All routers input firewalls have a default drop all, as far as I know, there isn't much better way to secure it aside from pulling the cable. Separate ACL allow lists in individual purpose built ACLs. I had done !ACL=drop, but realized it doesn't let me separate or ID traffic, I figure as long as we keep the allow ruleset under 10, that's not much load. Forward rules, Ive been really scaling back on the interior side, if I drop stuff at the edge no need to do anything inside. If I want to make sure I'm BCP38 good guy, id like to just see a list of rules. how many firewall rules are too many on an exterior BGP interior OSPF network (very vague, I know, just looking for rule of thumb, and I know if we do mpls/vpls interior it all changes) End of the day, I want access to my units, I want processes to work, I want to stop anything from coming in that shouldn't at the edge, and anything from exiting that shouldn't at the POP. "Shouldn't" being defined as industry accepted unnecessary traffic. I don't care about content or repurposed porting. We have few rules for customers that will be implemented this year. No port 25 traffic any direction, no inbound dns, no inbound ntp, if youre residential, no exceptions. Same if youre business, but you can be added to an ACL.
