Re: deny access

[GuidoZ <uberguidoz () gmail com>]

Forgive the double reply - judging from few emails I've received off
list (from both sides of the fence), I've found the best way to
explain things. (Again, this could be applied to a number of
situations, not just this one. In fact, I'll generalize it to show
this point and help others apply it in different scenarios.)

If someone were to ask a question similar to this...

"I'm the network admin for a small LAN at work. I've been having a
problem with 127.0.0.1 and need to block it from the router. I've been
trying to setup an ACL at the gateway to protect the network. I can't
seem to figure out the proper format. Can anyone help?

At this time, it would be good to reply with the exact answer. It's
obvious they know what needs to be done, they are just having trouble
with the how. They also seem to be familiar enough with their setup to
know why to fix it in this fashion. However, for a more general
question like...

"127.0.0.1 is causing problems. How do I fix it?"

In this case, which relates to the current case, there are a few
factors. First, it's obvious they aren't sure how to even begin to
tackle the problem. Just providing the "type this as an ACL" answer is
dangerous. Since they don't even know what they need to do, chances
are they won't know how to begin either. They could mess up some other
important settings trying to figure out how to properly enter the ACL
rule. Second, you know nothing about the background of the network or
situation! For all you know 127.0.0.1 could be an ISP that NEEDS
access, or the actual SysAdmin trying to do their job. We have no
clue. By telling them how to simply block all traffic from this
address, you could be creating further problems worse then the
original. (I'm not saying this is the case in Carlos's scenario, just
pointing out different aspects.) Plus, even if the correct answer IS
to setup the ACL, unless you describe all the steps (logging in,
writing to the rules, proper formatting, rebooting/applying, etc),
once again the unfamiliar user could cause more damage. Worse yet,
they could do it incorrectly and think the problem is solved when it
really isn't.

That was my entire point in this scenario. Judging from the comments
of the user (which is all we have to go on), it seemed like they
hadn't even found a starting point. In the case with Carlos (which I
also sent to him directly off-list), the correct answer in my eyes
would be "You'll probably need to create an ACL if you are sure that
IP# needs to be blocked. First determine where that IP# is coming from
to make sure it's ok to be blocked, then research on the proper format
and ways to create a rule in the ACL to block it." This way, he knows
WHERE to start and WHAT to do. Now he just needs to lookup the HOW to
do it, ensuring there should be less problems when he's sitting at the
console typing away. By forcing him to LEARN how to do a certain
thing, he will not only be prepared the next time around (instead of
going blindly on comments form the list), but it should also lessen
the chances of creating further problems. =) Obviously I also said if
he needs further help, please let me know.

I'm only going by my own experience. I've been providing technical
support on a variety of computer related topics for over a decade; I
have learned the points I made above the hard way. I've "helped" users
in a similar fashion as most people here helped Carlos, only to find
them in a worse situation then before since they didn't know what they
were doing to start with. Again, I never tried to be rude, nor do I
want to be! Helping out is what makes me tick. (I've been praised on
my ability to describe a complex solution in a language new users can
understand.) I sincerely hope this helps to not only explain this
current situation, but keeps someone from making the same mistakes I
have in the past.

Thanks for the previous off-list comments/suggestions/complaints. It
helped me to format this in a much better way. ;). Feel free to keep
them coming.

--
Peace. ~G


On Tue, 30 Nov 2004 11:35:17 -0800, GuidoZ <uberguidoz () gmail com> wrote:
> > Everyone, I want to take this opportunity to apologize for Guido.
> > Carlos, if you still need help, email me off the list, and we'll help
> > get squared away.
>
> I can certainly apologize for myself, when needed. ;) I wasn't trying
> to be rude and not help, if that's what you're thinking. If that's the
> case, then I do apologize. I was merely pointing out the fact that
> sometimes it's better to TEACH a person then to TELL a person. Allow
> me to explain...
>
> I think it somewhat obvious Carlos has next to no expereince with this
> device. This is nothing to be made fun of, as everyone starts
> somewhere and I'm sure there are plenty of things he is quite familiar
> with that I know nothing about. It's a fact of life.
>
> Instead of just flat out answering his question and saying "type this
> here", I believed he would benefit more from reading the manual for
> it, learning how to use Google effectively to solve problems, and find
> out more information in general. Think about it this way: What if he
> has another problem that needs to be addressed immediately, but he has
> no access because his router is down? Wouldn't of having a manual
> (that he downloaded when I mentioned it) be helpful? Wouldn't it be
> nice to be able to find the answer on your own because you learned how
> to properly search on Google with focuses terms?
>
> This isn't a flame by any means. I've always prided myself on helping
> others... it's what makes me tick. Sometimes a little "tough love" is
> what's needed. Judging from the other posts on this list, I figured
> everyone else would also see what I did. I apologize for not
> explaining it fully. To sum it up: "Give a man a fish, he eats for a
> day. Teach a man to fish he eats for a lifetime."
>
> I also offered my help off-list to Carlos. That offer still stands. I
> just felt that it was better to have him try on his own first, then
> ask a question when he gets stumped. (Instead of being completely lost
> and just typing what he's been told. That's no way to learn and it
> could very easily cause problems down the road... like when a BIG
> problem happens and he hasn't a clue where to even turn.)
>
> This applies to anyone, not just this scenario. Everyone should
> realize that. It doesn't matter if your a book learner or a hands on
> learner... either way the key is learning. Fundamental fact. =) If I
> offended anyone, I certainyl apologize. I only hope the reasons for my
> words are better understand, as there will be other occations where
> one should take a step back and thing about just this topic before
> flat out answering a question.
>
> --
> Peace. ~G
>
> On Mon, 29 Nov 2004 22:10:41 -0600, richardw
> <richardw () area52 allserve net> wrote:
> > Everyone, I want to take this opportunity to apologize for Guido.
> > Carlos, if you still need help, email me off the list, and we'll help
> > get squared away.
> >
> > Saludos,
> >
> > Richard
> >
> > GuidoZ wrote:
> > > This is why I said it was better for him to find the answers on his
> > > own, and not just tell him the ACL format. Otherwise it's very likely
> > > that something will get messed up and he won't be able to fix it, or
> > > ask questions online. ;)
> > >
> > > Think about things before you act everyone. There is certainly nothing
> > > wrong with helping out someone in need, although, you must determine
> > > the correct level of help.
> > >
> > > --
> > > Peace. ~G
> > >
> > >
> > > On Thu, 25 Nov 2004 19:40:40 -0700, Carlos Garcia
> > > <carlosg () cabonet net mx> wrote:
> > >
> > > > ok i just write
> > > > access-list 101 deny ip host 216.212.33.185 any is this ok?
> > > > i put too
> > > > access-list 101 deny ip 216.212.33.185 255.255.255.255 any...
> > > > and can somebody tell me how to improve this, i run some servers and i want
> > > > to protec them
> > > > mail, web,dns,proxy's where can i find a list so that it helps me how to
> > > > configure the router to support QoS i need it for VoIP service??? thanks for
> > > > all the help
> > > >
> > > > Atte.
> > > > Carlos A. Garcia G.
> > > > Cabonet Staff
> > > > Tel (624) 14 30120
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Agarwal, Ankur" <Ankur.Agarwal () colt-telecom com>
> > > > To: "'Carlos Garcia'" <carlosg () cabonet net mx>;
> > > > <security-basics () securityfocus com>
> > > > Sent: Thursday, November 25, 2004 7:17 PM
> > > > Subject: RE: deny access
> > > >
> > > >
> > > > > HI
> > > > > Simply create an deny access list to block this IP.
> > > > >
> > > > > Access-list 101 deny ip source ip destination ip
> > > > >
> > > > >
> > > > >
> > > > > Thanks & Regards,
> > > > >
> > > > > ___________________________________________________
> > > > > Ankur Agarwal
> > > > >
> > > > >
> > > > >
> > > > > One Dial : 8-911-7428
> > > > > Tel : +91 124 5157000 (Ext. 2272)
> > > > > *Cell : +91 9810702016
> > > > >
> > > > >
> > > > >
> > > > > COLT India
> > > > > ankur.agarwal () colt-telecom com
> > > > >
> > > > > ___________________________________________________
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Carlos Garcia [mailto:carlosg () cabonet net mx]
> > > > > Sent: 25 November 2004 04:58
> > > > > To: security-basics () securityfocus com
> > > > > Subject: deny access
> > > > >
> > > > >
> > > > > newbie question how can i block this ip 216.212.33.185 i have a cisco 7200
> > > > > this ip is trying to send mail with my server, i did not configure the
> > > > > router so i dont know how to do this any help?
> > > > >
> > > > >
> > > > > Atte.
> > > > > Carlos A. Garcia G.
> > > > > Cabonet Staff
> > > > > Tel (624) 14 30120
> > > > >
> > > > >
> > > > >
> > > > > *************************************************************************************
> > > > > The message is intended for the named addressee only and may not be
> > > > > disclosed to or used by anyone else, nor may it be copied in any way.
> > > > >
> > > > > The contents of this message and its attachments are confidential and may
> > > > > also be subject to legal privilege.  If you are not the named addressee
> > > > > and/or have received this message in error, please advise us by e-mailing
> > > > > security () colt net and delete the message and any attachments without
> > > > > retaining any copies.
> > > > >
> > > > > Internet communications are not secure and COLT does not accept
> > > > > responsibility for this message, its contents nor responsibility for any
> > > > > viruses.
> > > > >
> > > > > No contracts can be created or varied on behalf of COLT
> > > > > Telecommunications, its subsidiaries or affiliates ("COLT") and any other
> > > > > party by email Communications unless expressly agreed in writing with such
> > > > > other party.
> > > > >
> > > > > Please note that incoming emails will be automatically scanned to
> > > > > eliminate potential viruses and unsolicited promotional emails. For more
> > > > > information refer to www.colt.net or contact us on +44(0)20 7390 3900.
> >
> > --
> > ------------------------------------------------------------------------
> >    ____/\___  |                                     | "If you can't beat
> >    ___/__\__) |              richardw               | them, then they're
> >   (__/    \__ | mailto:richardw!area52.allserve.net | not tied down good
> >     /      \  |                                     | enough..."
> > ------------------------------------------------------------------------