Re: router policy question

To: <debian-user@lists.debian.org>
Subject: Re: router policy question
From: Glenn English <ghe@slsware.com>
Date: Fri, 16 Apr 2010 21:55:43 -0600
Message-id: <[🔎] 41EBEF30-1BF2-4092-AD4B-B0713E968150@slsware.com>
In-reply-to: <[🔎] 201004162235.18145.ddjones@riddlemaster.org>
References: <[🔎] 6BE8023D-76B5-4978-92C8-4BC102BD5B11@slsware.com> <[🔎] 201004162235.18145.ddjones@riddlemaster.org>

On Apr 16, 2010, at 8:35 PM, Daniel D Jones wrote:

>> But is there any reason at all to allow anything, aside from some ICMP, to
>> go beyond the ACL on its Internet facing interface -- to get to the router
>> itself, that is?
> 
> You mean packets coming in from the Internet with a destination IP that is 
> assigned to the router itself?  

Yup. I've blocked telnet and some irrelevant ICMP for a long time. It dawned on me the other day that I couldn't think of any reason not to just drop all TCP and UDP traffic to the router's outside IP.

> Are you running any sort of routing protocol 
> or similar that communicates with your ISP's routers, including things like 
> MPLS, or any VPNs/tunnels that terminate at the border router?

No routing protocols on the outside interface. The VPNs are handled by a host in the DMZ. To this router, the VPN traffic looks like just more UDP between public IPs.

> What about NAT 
> or port forwarding on the border router?

There's no port forwarding, and NAT all happens inside, on the firewall that connects the outside, the DMZ, and the LAN. This router sees only my routable address space (and its IP on the 1918 net between it and the firewall).

-- 
Glenn English
ghe@slsware.com

Reply to:

References:
- router policy question
  - From: Glenn English <ghe@slsware.com>
- Re: router policy question
  - From: Daniel D Jones <ddjones@riddlemaster.org>

Prev by Date: RE: xen
Next by Date: Re: [SOLVED] Debian-multimedia breaks mplayer .mov playback on Lenny?
Previous by thread: Re: router policy question
Next by thread: crypt question/server hotel
Index(es):
- Date
- Thread