mailing list archives
Re: Firewalls in service provider environments
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 7 Feb 2012 17:59:47 -0500
On Tue, Feb 7, 2012 at 4:42 PM, Leigh Porter
<leigh.porter () ukbroadband com> wrote:
From: Matthew Reath [mailto:matt () mattreath com]
Sent: 07 February 2012 21:34
To: nanog () nanog org
Subject: Firewalls in service provider environments
Looking for some recommendations on firewall placement in service
environments. I'm of the school of thought that in my SP network I do
little firewalling/packet filtering as possible. As in none,
I had a vendor actually suggest that that ALL my customer traffic should traverse a firewall. I asked why and they
said "Ahhh it the internet, must have firewall". I suppose this must have been a great firewall.
'of china'! ha! hahaha.... anyway.
So yes I would agree with you, firewall nothing for your customers unless they are paying you for a specific service.
Filtering known bad ports, well, what's a known bad port? Bad for one person may be quite important for another.
Whilst filtering port 25 outbound may help prevent some bots from emanating spam, it certainly does a lot to annoy
I think for a purely SP network, transit-provider core links sort of
thing, why filter anything at all? why filter anything that's not
destined to your own equipment? You can't possibly know what some
customer (or set of customers) are going to do with their traffic, so
you can't possibly filter it sanely/safely.
for a consumer ISP, provided your TOS says it's ok, why not filter
some common problems:
... not much else really... and REALLY you just want to send tcp/25
-> 587 on your mail-relays (or redirect to internal use addresses on
If customers (in either case) want to pay you for 'security services'
then rock some filters on their CPE, with the option to move that
upstream to your PE if you have to (too much crap on customer link).
Re: Firewalls in service provider environments Christopher Morrow (Feb 07)
Re: Firewalls in service provider environments Justin M. Streiner (Feb 07)
Re: Firewalls in service provider environments William Herrin (Feb 07)
Re: Firewalls in service provider environments Jimmy Hess (Feb 08)