Hi Chan,
An ACL provides filtering by IP, TCP and UDP, so the only real
difference between it and a firewall is that you may gain some deep
packet inspection capabilities by using a dedicated firewall. Other
than that, an ACL should provide sufficient firewalling capabilities
on your network edge.
As for your current block list, I would granulate it a bit more by IP
address if you haven't already.
For example, we currently block external SSH to subnets we've
allocated for network equipment but allow it for all customer
addresses. Some of our customers are required to use off-island
support, and they usually ssh in directly.
-------------------------------------------------------
Aloiamoa Anesi, Jr.
Network Operations Engineer
Blue Sky Communications
478 Laufou Shopping Ctr
Pago Pago, American Samoa 96799
--
Ph: +1.684.699.2759 ext 1098
Cell: +1.684.258.1098
VoIP Business Hours: 1098@voip.bluesky.as
On Sep 13, 2007, at 3:11 AM, Chan J Tallon wrote:
Hi All,
There are known ports that we block incoming by default for all
hosts on our networks,
I am wondering if I’m missing any, or if I’m supposed to,
I am typically blocking the following ports by default for all ip
aggregations on inbound ACLs at the border gateway,
We are multihomed to four different ISPs,
tcp
22
telnet
135
137
138
139
445
512
513
514
515
1433
1434
1512
1645
1646
1812
1813
and
udp
22
tftp
rip
135
netbios-dgm
netbios-ns
netbios-ss
snmp
snmptrap
445
512
513
514
1433
1434
1512
1645
1646
1812
1813
Instead of doing this at the border router, Is there something we
can do as a community to setup a generic firewall that sits between
our border gateway and our network to protect our users?
Is there a good cost effective commercial appliance that will do
this for us?
Appreciate any comments,
Regards,
Chan
FSMTC
Chan J Tallon
System Administrator (Data Services)
FSM Telecommunications Corporation
P: 691 320 2740
F: 691 320 2745
C: 691 920 2733
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
pacnog mailing list
pacnog@pacnog.org
http://mailman.apnic.net/mailman/listinfo/pacnog
