nanog mailing list archives

Re: Ingress filtering on transits, peers, and IX ports

From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Tue, 20 Oct 2020 21:16:43 +0200

Might filtering port 11211 like that not risk blocking random connections,
where the operating system picked that port as source, which then becomes
destination on the reply packets?

tir. 20. okt. 2020 07.19 skrev Randy Bush <randy () psg com>:

term blocked-ports {
    from {
        protocol [ tcp udp ];
        first-fragment;
        destination-port
            [ 0 sunrpc 135 netbios-ns netbios-dgm netbios-ssn 111 445
syslog 11211];
        }
    then {
        sample;
        discard;
        }
    }

and i block all external access to weak devices such as switches, pdus,
ipmi, ...

randy

Current thread:

RE: Ingress filtering on transits, peers, and IX ports, (continued)
- - RE: Ingress filtering on transits, peers, and IX ports Jean St-Laurent via NANOG (Oct 13)
  - Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 13)
    - Re: Ingress filtering on transits, peers, and IX ports Marcos Manoni (Oct 13)
    - Re: Ingress filtering on transits, peers, and IX ports Nikolas Geyer (Oct 13)
    - Re: Ingress filtering on transits, peers, and IX ports Brandon Martin (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
    - RE: Ingress filtering on transits, peers, and IX ports Jean St-Laurent via NANOG (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 19)
    - Re: Ingress filtering on transits, peers, and IX ports Randy Bush (Oct 19)
    - Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 20)
    - Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 22)
    - RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 23)
    - Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 20)
    - Re: Ingress filtering on transits, peers, and IX ports Marcos Manoni (Oct 20)
    - Re: Ingress filtering on transits, peers, and IX ports Dobbins, Roland (Oct 20)
    - Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Mike Hammett (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Jared Mauch (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Eric Kuhnke (Oct 13)
  - Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 13)

(Thread continues...)