> On Sun, 12 Jul 1998, Thomas C Kinnen wrote:
>
> > On Sun, 12 Jul 1998, Jon Lewis wrote:
> >
> > > Why would you want to permit any source IP? If you're going to the
> > > trouble of making a filter, and you don't have a ridiculous number of CIDR
> > > blocks, then only allow the subset of possibly valid source addresses.
> >
> > You need to do that since anything not allowed is denied.
>
> That's the point. Re-read the above. I suspect at least some of the ISPs
> on the list understood it.
>
> Does anyone else think the net would be a better place if network hardware
> manufacturers had to run small ISPs or freenets? Then they would know
> exactly how their gear works in the "real world" and would be familiar
> with real world issues.
You guys are talking about two different things. Thomas was talking about
general configuration and usage of filters and how filter operation
applies to someone who was not having any luck getting his filters to
work--addressing the original poster. Jon, you're talking about taking
further security provisions. While hopefully in the field both are taking
into VERY close consideration, I don't think we need to argue about this.
I agree that each and every operator of a network backbone can and should
be doing some type of source based filtering in some sort of way that will
work correctly within their network infrastructure, I'm just not quite
sure what Tom said was meant to be taken quite so deeply. :-)
-jr
----
Josh Richards - <jrichard@livingston.com> - <josh@lucent.com>
[Beta Engineer] - LUCENT Technologies - Remote Access Business Unit
<URL:http://www.livingston.com/> * <URL:http://www.lucent.com/dns/>
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>