nanog mailing list archives
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
From: Mike Tancsa <mike () sentex net>
Date: Thu, 16 Apr 2009 21:59:52 -0400
At 12:19 AM 4/10/2009, Rubens Kuhl wrote:
On shared media like radio access, every unwanted packet means less performance you will get out of the network. This can be done by NAT, stateful filtering with public IPs or stateless filtering with public IPs; the advantage of doing NAT is making it easier for the end-point software to know that (two ways: noticing your local IP address is from RFC1918 space, or connecting to a server that tells your IP in order to compare it to the local address). As such, GPRS, EDGE, EVDO, HSPA, LTE and Mobile WiMAX services have good reasons to use NAT, and most do.
Speaking of unwanted traffic, I was quite surprised how much unwanted traffic I see on my RFC 1918 space thats given out by one of the Canadian telcos-- i.e. this is behind the giant natting firewalls....
Blocking all inbound traffic and logging to pflog (pcap format) Its full of cruft like this 0[i7]# tcpdump -nr /var/log/pflog | head -2 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)16:01:09.899554 IP 10.141.184.158.2167 > 10.141.81.113.445: Flags [S], seq 2743613661, win 53760, options [mss 1360,nop,wscale 3,nop,nop,TS[|tcp]> 16:01:10.439516 IP 10.141.184.158.2167 > 10.141.81.113.445: Flags [S], seq 2743613661, win 53760, options [mss 1360,nop,wscale 3,nop,nop,TS[|tcp]>
Looking at the pflogs for the last 3 days of just port 445 and 135 scans traffic as well as the odd ping packet
1[i7]# cat pflo* | tcpdump -nr - -w /tmp/scan.pcap port 445 or port 135 or icmp reading from file -, link-type PFLOG (OpenBSD pflog file) tcpdump: pcap_loop: bogus savefile header 1[i7]# tcpstat -r /tmp/scan.pcap -a Bytes/sec = 0.4 B Bytes/minute = 26.2 B Bytes/hour = 1.5 KB Bytes/day = 36.8 KB Bytes/month = 1.1 MB 0[i7]# Hmmm... considering some plans start at 1MB per month....---Mike
Current thread:
- Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Lee, Steven (NSG Malaysia) (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Mikael Abrahamsson (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Roland Dobbins (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Roland Dobbins (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Eugeniu Patrascu (Apr 10)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Alexander Harrowell (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Roland Dobbins (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Mike Dimayuga (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Rubens Kuhl (Apr 09)
- Message not available
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Mike Tancsa (Apr 16)
- Message not available
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Mikael Abrahamsson (Apr 09)
- <Possible follow-ups>
- RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Skywing (Apr 09)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Charles Wyble (Apr 09)
- RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Lee, Steven (NSG Malaysia) (Apr 09)
- RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? TJ (Apr 16)
- Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Charles Wyble (Apr 09)