We have default rule-set of fire-walling rules per server. Even if the server is behind a fire-wall itself, we still apply fire-walling on each server itself. This set includes an RFC set by default.
From experience I can say that the networks bleed a lot of such traffic all over. When I asked our network engineers about this, I got various answers from not wanting to spend 2 minutes to add those ACLs to routers, to claims that the processing for implementing such ACLs would be too hefty on the CPUs of the router. I even had a comment that it's the clients responsibility to do that filtering, not the core network/edge routers. In my mind, every router should have a default subset of these filters on them. End of story. (Unfortunately not...) What I find even more disturbing is the number of queries for and from such networks that bleed through to our DNS servers. They obviously just get rejected outright on the server fire-wall, but they should never even have gotten there. Companies that use private sub nets, should use DNS servers with views to shield the Internet from such queries. I have even seen private addresses being used in public DNS space. I.E. for MXs... Wednesday, October 25, 2006, 10:41:58 AM, you wrote: [snip] >>When I first started managing my own internet access, I had rules in my >>firewall to drop any private IPs coming from the outside. I went years >>without a single hit on those rules. I eventually decided it wasn't worth > the >>CPU cycles to check every new connection for impossible packets and deleted >>those rules. Maybe I should reconsider... >> >>Jeff > I did the same on my firewalls after considering these subnets could never > reach my network per rfc 1918 statements ! > But it seems many Internet connection providers never read rfc's or apply > them correctly :-( > (its so easy to sell expensive options like firewall boxes that will do that > should normally be the basic.) > Now I will reinstall rules for rfc 1918 filtering :( -- Best regards, Jorn mailto:[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
