> All traffic to any service not offered publicly somewhere on my > network is dropped without further comment at the border router. You > guys seem to be not doing that.
> Am I wrong in that (IYHO :-) Well, in my case, my NTP pool host *is* my border router. But, that aside, I can't really do that because I will often create "services" ad-hoc. Telling the border router about them automatically is (a) not possible without substantial software creation and (b) pointless because it annuls the whole point of firewalling services to allow traffic to new ad-hoc "services". Nor do I have any particular desire to. I do not subscribe to the "hard shell, soft and chewy interior" model of network design; I firewall to keep noise out of my logs (and CPU usage down on CPU-expensive services like ssh), not to keep attackers from reaching unprotected services. (Well, unless you count putting some machines on non-routable addresses as a form of firewalling, which I mostly don't.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
