On Mon, 16 Aug 2021, pete M via 44Net wrote:
But Kriss, does firewall apply to router or to client connected to router?
One 's', please.
That is a discussion to have here. In the routing world, it is possible to use BGP blackholes to drop traffic entirely from known bad actors. Individual TCP, UDP, and ICMP can be handled through other filtering means but that doesn't apply to the BGP routers. Certainly Cisco, Juniper, etc. have mechanisms like ACLs to implement such filtering by various means. Alternatively, the filtering can be offloaded to the end-user of the delegated IP space. DDoS filtering should be applied to the larger whole. However, "the larger whole" means networks that use the 44.0.0.0/9 & 44.128.0.0/10 routes, not the individually BGP announced /24s.
And when I talk about router I d mean the real thing, not the client end of things like at home where a device receive one IP and have a non routable to the internet local netork that need to NAT all the traffic to it's client.
Fundamentally, one has to ask: What is a router? What is a firewall? That is a divisive line of thinking, where a declaration that someone's server running an open OS isn't a router or a firewall because it isn't made by one of ten manufacturers, or that it doesn't have ASIC or FPGA chips in it performing wire-speed decisions. Does it perform the required functions? Yes. Does it match your expectations or standards of what a device performing those function is? Probably not. Does it get the job done? Yes. Does the capital cost of the device versus the operating cost in kWh consumed and BTUs generated make sense in the time scale of useful deployment? Is it maintainable? It is secure?
There is DNAT and SNAT as well, and all are tools that can be taken advantage of. There are remarkably capable devices on the market today being sold for under $200 which have the ability to perform many of these tasks, some of them even in hardware.
How do you firewall anything if you need to route traffic back and fort as a real router on the internet?
If you're asking this question, I assume that you are unaware that people have been building routers out of FreeBSD, OpenBSD, and Linux appliances for decades now, and taking advantage of filtering and routing capabilities of those OSes and software routing engines deployed on them like BIRD, Quagga, and other routing daemons.
We are trying to fix a layer 3 problem with a layer 4 solution.
I think the statement you're looking for is: fixing a layer 8 problem with a layer 3/4 technology.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager