Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?

[Mike Tancsa <mike () sentex net>]

At 12:19 AM 4/10/2009, Rubens Kuhl wrote:
> On shared media like radio access, every unwanted packet means less
> performance you will get out of the network.
> This can be done by NAT,
> stateful filtering with public IPs or stateless filtering with public
> IPs; the advantage of doing NAT is making it easier for the end-point
> software to know that (two ways: noticing your local IP address is
> from RFC1918 space, or connecting to a server that tells your IP in
> order to compare it to the local address).
>
> As such, GPRS, EDGE, EVDO, HSPA, LTE and Mobile WiMAX services have
> good reasons to use NAT, and most do.

Speaking of unwanted traffic, I was quite surprised how much unwanted 
traffic I see on my RFC 1918 space thats given out by one of the 
Canadian telcos-- i.e. this is behind the giant natting firewalls....

Blocking all inbound traffic and logging to pflog (pcap format)

Its full of cruft like this

0[i7]# tcpdump -nr /var/log/pflog | head -2
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
16:01:09.899554 IP 10.141.184.158.2167 > 10.141.81.113.445: Flags 
[S], seq 2743613661, win 53760, options [mss 1360,nop,wscale 
3,nop,nop,TS[|tcp]>
16:01:10.439516 IP 10.141.184.158.2167 > 10.141.81.113.445: Flags 
[S], seq 2743613661, win 53760, options [mss 1360,nop,wscale 
3,nop,nop,TS[|tcp]>

Looking at the pflogs for the last 3 days of just port 445 and 135 
scans traffic as well as the odd ping packet

1[i7]# cat pflo* | tcpdump -nr - -w /tmp/scan.pcap port 445 or port 135 or icmp
reading from file -, link-type PFLOG (OpenBSD pflog file)
tcpdump: pcap_loop: bogus savefile header
1[i7]# tcpstat -r /tmp/scan.pcap -a
Bytes/sec       =      0.4  B
Bytes/minute    =     26.2  B
Bytes/hour      =      1.5 KB
Bytes/day       =     36.8 KB
Bytes/month     =      1.1 MB
0[i7]#

Hmmm... considering some plans start at 1MB per month....

        ---Mike