nanog mailing list archives

Re: Abuse Desks

From: Stephen Satchell <list () satchell net>
Date: Wed, 29 Apr 2020 10:35:20 -0700

On 4/29/20 9:57 AM, Mike Hammett wrote:

My routers have ACLs, but my servers for the most part do not.

I'm not trying to argue, but...what servers do you have that don't havesysadmin-definable firewalls and tun-able knobs? My edge routers areLinux boxes (CentOS 8 for the one I'm now building). Moreover, I canhave NetworkManager fire off a script that modifies the firewallsettings as interfaces go up and down.

It's kind of counter productive to put ACLs on SMTP, POP3, IMAP, and
HTTP\S ports, now isn't it? SIP, FTP, and SSH may or may not make
sense, depending on the type and volume of users.

I was taught by my networking betters that you need to block certaintypes of public inbound packets, always, that match any of:


1.  WAN packets with local/LAN source address
2.  WAN packets with local/LAN broadcast/net src-dst address
3.  WAN packets with known broadcast/net src-dst address
4.  WAN packets with local/LAN small services
5.  WAN packets with local/LAN unimplemented services
6.  WAN packets with blackholed source address

On EVERY device with a public IP address.  WITHOUT FAIL.

I have these blocks on every single public-facing mail server I build.I have these blocks on every single public-facing Web server I build.Indeed, I can't fathom why I would *not* have these in place for everysingle public-facing device. I don't necessarily log every occurance,but I do drop matching packets on the floor, unceremoniously.

This is the foundation upon which I build custom additions, such asallowing 22/tcp only from specific IP addresses.

I don't depend on the edge router to catch all the cases, because eachserver has specific services it provides. So, for example, my DNSservers not only implement all six basics, but also incorporates requestrate limiting, to avoid participating in DDOS events. Ditto NTPservers. 80/tcp and 443/tcp? Dropped on the floor.

Sorry to preach, but I'm in the process of building a NFTABLE-basedfirewall and this happens to be part of the specs for it.

Current thread:

Re: Abuse Desks, (continued)
- - - Re: Abuse Desks Joe Greco (Apr 29)
    - Re: Abuse Desks Mel Beckman (Apr 29)
    - Re: Abuse Desks Joe Greco (Apr 29)
    - Re: Abuse Desks Stephen Satchell (Apr 29)
    - Re: Abuse Desks Sabri Berisha (Apr 29)
    - Re: Abuse Desks Mel Beckman (Apr 29)
    - Re: Abuse Desks Sabri Berisha (Apr 29)
    - Re: Abuse Desks Mukund Sivaraman (Apr 29)
    - Re: Abuse Desks Stephen Satchell (Apr 29)
    - Re: Abuse Desks Mike Hammett (Apr 29)
    - Re: Abuse Desks Stephen Satchell (Apr 29)
    - Re: Abuse Desks Mike Hammett (Apr 29)
    - Re: Abuse Desks Matt Corallo via NANOG (Apr 29)
    - Re: Abuse Desks Mukund Sivaraman (Apr 29)
    - Re: Abuse Desks Tom Beecher (Apr 29)
    - Re: Abuse Desks Mukund Sivaraman (Apr 29)
    - Re: Abuse Desks Tom Beecher (Apr 29)
    - Re: Abuse Desks Laszlo Hanyecz (Apr 29)
    - Re: Abuse Desks Brian J. Murrell (Apr 29)
    - Re: Abuse Desks Mukund Sivaraman (Apr 29)
  - Re: Abuse Desks Rich Kulawiec (Apr 29)

(Thread continues...)