17 Aug
2021
17 Aug
'21
10:25 a.m.
On Mon, 16 Aug 2021, pete M via 44Net wrote:
But Kriss, does firewall apply to router or to client
connected to
router?
One 's', please.
That is a discussion to have here. In the routing world, it is possible
to use BGP blackholes to drop traffic entirely from known bad actors.
Individual TCP, UDP, and ICMP can be handled through other filtering
means but that doesn't apply to the BGP routers. Certainly Cisco,
Juniper, etc. have mechanisms like ACLs to implement such filtering by
various means. Alternatively, the filtering can be offloaded to the
end-user of the delegated IP space. DDoS filtering should be applied to
the larger whole. However, "the larger whole" means networks that use
the 44.0.0.0/9 & 44.128.0.0/10 routes, not the individually BGP
announced /24s.
And when I talk about router I d mean the real thing,
not the client
end of things like at home where a device receive one IP and have a
non routable to the internet local netork that need to NAT all the
traffic to it's client.
Fundamentally, one has to ask: What is a router? What is a firewall?
That is a divisive line of thinking, where a declaration that someone's
server running an open OS isn't a router or a firewall because it isn't
made by one of ten manufacturers, or that it doesn't have ASIC or FPGA
chips in it performing wire-speed decisions. Does it perform the
required functions? Yes. Does it match your expectations or standards of
what a device performing those function is? Probably not. Does it get
the job done? Yes. Does the capital cost of the device versus the
operating cost in kWh consumed and BTUs generated make sense in the time
scale of useful deployment? Is it maintainable? It is secure?
There is DNAT and SNAT as well, and all are tools that can be taken
advantage of. There are remarkably capable devices on the market today
being sold for under $200 which have the ability to perform many of
these tasks, some of them even in hardware.
How do you firewall anything if you need to route
traffic back and
fort as a real router on the internet?
If you're asking this question, I assume that you are unaware that
people have been building routers out of FreeBSD, OpenBSD, and Linux
appliances for decades now, and taking advantage of filtering and
routing capabilities of those OSes and software routing engines deployed
on them like BIRD, Quagga, and other routing daemons.
We are trying to fix a layer 3 problem with a layer 4
solution.
I think the statement you're looking for is: fixing a layer 8 problem
with a layer 3/4 technology.
--
Kris Kirby, KE4AHR
Disinformation Architect, Systems Mangler, & Network Mismanager