Le 11/08/2021 à 15:15, Ruben ON3RVH via 44Net a écrit :
Pops should not filter or firewall anything except for bogus 44ips bgp subnets, and that is very easily done.
As far as "Internet" address range is directly exposed to wild Internet, as far as end-users are not necessarily aware about that (they used to be behind a NAT router), and as far as some connected devices may not always have all the latest security patches, our gateway firewall does a little bit more : - All incoming traffic except ICMP is blocked by default. Allowed traffic is defined explicitly (f/ex : full access for people who know what they are doing, or opening only the ports needed for the target application ; ssh always closed from "outside" unless specified) - Basic filtering of "bad" IPs (currently based on Firehol blocklists)
Anyway, this is a personal choice. As we (TK1BI, TK4TO, TK5EP, TK1CX) are the only sysadmins for all the island, and as we personally know all of our users (and installed their access routers), we found it simpler and easier to manage firewall rules on the central gateway than individually on every endpoint access router. On a country-wide setup, this may not be doable, anyway, HI :-)